diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index cae74d63a4..dfaf5a09e2 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19929,6 +19929,11 @@ "source_path": "windows/client-management/mdm/wmi-providers-supported-in-windows.md", "redirect_url": "/windows/client-management/wmi-providers-supported-in-windows", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/do/mcc-enterprise.md", + "redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache", + "redirect_document_id": false }, { "source_path": "windows/client-management/advanced-troubleshooting-802-authentication.md", diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..e138ec5d6a --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ + + +## Security + +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). + +If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. + +## Reporting Security Issues + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). + +If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). + +You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). + +Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: + + * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) + * Full paths of source file(s) related to the manifestation of the issue + * The location of the affected source code (tag/branch/commit or direct URL) + * Any special configuration required to reproduce the issue + * Step-by-step instructions to reproduce the issue + * Proof-of-concept or exploit code (if possible) + * Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly. + +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). + + diff --git a/education/windows/index.yml b/education/windows/index.yml index 8f01835c6d..a84e4b3961 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -7,7 +7,8 @@ metadata: title: Windows for Education documentation description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune ms.topic: landing-page - ms.prod: windows + ms.prod: windows-client + ms.technology: itpro-edu ms.collection: - education - highpri diff --git a/images/grouppolicy-paste.png b/images/grouppolicy-paste.png new file mode 100644 index 0000000000..ba2de148f1 Binary files /dev/null and b/images/grouppolicy-paste.png differ diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index e13b0747f4..73c14c4195 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -1,25 +1,19 @@ ### YamlMime:Landing -title: Windows application management # < 60 chars -summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. # < 160 chars +title: Windows application management +summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. metadata: - title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required - ms.collection: - - windows-10 + title: Windows application management + description: Learn about managing applications in Windows 10 and Windows 11. + ms.topic: landing-page + ms.prod: windows-client + ms.collection: - highpri author: nicholasswhite ms.author: nwhite manager: aaroncz - ms.date: 08/24/2021 #Required; mm/dd/yyyy format. - ms.localizationpriority : medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + ms.date: 08/24/2021 landingContent: # Cards and links should be based on top customer tasks or top subjects diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index a5dc882b93..ce77a2e025 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -8,7 +8,7 @@ ms.technology: itpro-manage author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/01/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz --- @@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ 2. Find the variable names of the parameters in the ADMX file. - You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-configuration-service-provider.md#appvirtualization-publishingallowserver2). + You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2). ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 7fdf68a9fa..ff469792d0 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -6,12 +6,10 @@ summary: Find out how to apply custom configurations to Windows client devices. metadata: title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-manage ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index f0d3fb39b0..dd6034f807 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,445 +1,3100 @@ --- title: Defender CSP -description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. -ms.reviewer: +description: Learn more about the Defender CSP +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/02/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/22/2022 +ms.topic: reference --- + + + # Defender CSP -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +The following example shows the Defender configuration service provider in tree format. -The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. - -The following example shows the Windows Defender configuration service provider in tree format. +```text +./Device/Vendor/MSFT/Defender +--- Configuration +------ AllowDatagramProcessingOnWinServer +------ AllowNetworkProtectionDownLevel +------ AllowNetworkProtectionOnWinServer +------ ASROnlyPerRuleExclusions +------ DataDuplicationDirectory +------ DataDuplicationRemoteLocation +------ DefaultEnforcement +------ DeviceControl +--------- PolicyGroups +------------ {GroupId} +--------------- GroupData +--------- PolicyRules +------------ {RuleId} +--------------- RuleData +------ DeviceControlEnabled +------ DisableCpuThrottleOnIdleScans +------ DisableDnsOverTcpParsing +------ DisableDnsParsing +------ DisableFtpParsing +------ DisableGradualRelease +------ DisableHttpParsing +------ DisableInboundConnectionFiltering +------ DisableLocalAdminMerge +------ DisableNetworkProtectionPerfTelemetry +------ DisableRdpParsing +------ DisableSshParsing +------ DisableTlsParsing +------ EnableDnsSinkhole +------ EnableFileHashComputation +------ EngineUpdatesChannel +------ ExcludedIpAddresses +------ HideExclusionsFromLocalAdmins +------ MeteredConnectionUpdates +------ PassiveRemediation +------ PauseUpdateExpirationTime +------ PauseUpdateFlag +------ PauseUpdateStartTime +------ PlatformUpdatesChannel +------ SchedulerRandomizationTime +------ SecurityIntelligenceUpdatesChannel +------ SupportLogLocation +------ TamperProtection +------ TDTFeatureEnabled +------ ThrottleForScheduledScanOnly +--- Detections +------ {ThreatId} +--------- Category +--------- CurrentStatus +--------- ExecutionStatus +--------- InitialDetectionTime +--------- LastThreatStatusChangeTime +--------- Name +--------- NumberOfDetections +--------- Severity +--------- URL +--- Health +------ ComputerState +------ DefenderEnabled +------ DefenderVersion +------ EngineVersion +------ FullScanOverdue +------ FullScanRequired +------ FullScanSigVersion +------ FullScanTime +------ IsVirtualMachine +------ NisEnabled +------ ProductStatus +------ QuickScanOverdue +------ QuickScanSigVersion +------ QuickScanTime +------ RebootRequired +------ RtpEnabled +------ SignatureOutOfDate +------ SignatureVersion +------ TamperProtectionEnabled +--- OfflineScan +--- RollbackEngine +--- RollbackPlatform +--- Scan +--- UpdateSignature ``` -./Vendor/MSFT -Defender -----Detections ---------ThreatId -------------Name -------------URL -------------Severity -------------Category -------------CurrentStatus -------------ExecutionStatus -------------InitialDetectionTime -------------LastThreatStatusChangeTime -------------NumberOfDetections -----EnableNetworkProtection ---------AllowNetworkProtectionDownLevel ---------AllowNetworkProtectionOnWinServer ---------DisableNetworkProtectionPerfTelemetry ---------DisableDatagramProcessing ---------DisableInboundConnectionFiltering ---------EnableDnsSinkhole ---------DisableDnsOverTcpParsing ---------DisableHttpParsing ---------DisableRdpParsing ---------DisableSshParsing ---------DisableTlsParsing -----Health ---------ProductStatus (Added in Windows 10 version 1809) ---------ComputerState ---------DefenderEnabled ---------RtpEnabled ---------NisEnabled ---------QuickScanOverdue ---------FullScanOverdue ---------SignatureOutOfDate ---------RebootRequired ---------FullScanRequired ---------EngineVersion ---------SignatureVersion ---------DefenderVersion ---------QuickScanTime ---------FullScanTime ---------QuickScanSigVersion ---------FullScanSigVersion ---------TamperProtectionEnabled (Added in Windows 10, version 1903) ---------IsVirtualMachine (Added in Windows 10, version 1903) -----Configuration (Added in Windows 10, version 1903) ---------TamperProtection (Added in Windows 10, version 1903) ---------EnableFileHashComputation (Added in Windows 10, version 1903) ---------SupportLogLocation (Added in the next major release of Windows 10) ---------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) ---------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) ---------SecurityIntelligenceUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) ---------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release) ---------PassiveRemediation (Added with the 4.18.2202.X Defender platform release) -----Scan -----UpdateSignature -----OfflineScan (Added in Windows 10 version 1803) + + + +## Configuration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration ``` -**Detections** + + + +An interior node to group Windows Defender configuration information. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Configuration/AllowDatagramProcessingOnWinServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/AllowDatagramProcessingOnWinServer +``` + + + +This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Datagram processing on Windows Server is enabled. | +| 0 | Datagram processing on Windows Server is disabled. | + + + + + + + + + +### Configuration/AllowNetworkProtectionDownLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionDownLevel +``` + + + +This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Network protection will be enabled downlevel. | +| 0 | Network protection will be disabled downlevel. | + + + + + + + + + +### Configuration/AllowNetworkProtectionOnWinServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionOnWinServer +``` + + + +This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow | +| 0 | Disallow | + + + + + + + + + +### Configuration/ASROnlyPerRuleExclusions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/ASROnlyPerRuleExclusions +``` + + + +Apply ASR only per rule exclusions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/DataDuplicationDirectory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationDirectory +``` + + + +Define data duplication directory for device control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/DataDuplicationRemoteLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation +``` + + + +Define data duplication remote location for device control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/DefaultEnforcement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DefaultEnforcement +``` + + + +Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Default Allow Enforcement | +| 2 | Default Deny Enforcement | + + + + + + + + + +### Configuration/DeviceControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Configuration/DeviceControl/PolicyGroups + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Configuration/DeviceControl/PolicyGroups/{GroupId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Configuration/DeviceControl/PolicyRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Configuration/DeviceControl/PolicyRules/{RuleId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/DeviceControlEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControlEnabled +``` + + + +Control Device Control feature. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | | +| 0 | | + + + + + + + + + +### Configuration/DisableCpuThrottleOnIdleScans + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableCpuThrottleOnIdleScans +``` + + + +Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Disable CPU Throttle on idle scans | +| 0 | Enable CPU Throttle on idle scans | + + + + + + + + + +### Configuration/DisableDnsOverTcpParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableDnsOverTcpParsing +``` + + + +This setting disables DNS over TCP Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | DNS over TCP parsing is disabled | +| 0 (Default) | DNS over TCP parsing is enabled | + + + + + + + + + +### Configuration/DisableDnsParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableDnsParsing +``` + + + +This setting disables DNS Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | DNS parsing is disabled | +| 0 (Default) | DNS parsing is enabled | + + + + + + + + + +### Configuration/DisableFtpParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableFtpParsing +``` + + + +This setting disables FTP Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | FTP parsing is disabled | +| 0 (Default) | FTP parsing is enabled | + + + + + + + + + +### Configuration/DisableGradualRelease + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableGradualRelease +``` + + + +Enable this policy to disable gradual rollout of Defender updates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Gradual release is disabled | +| 0 | Gradual release is enabled | + + + + + + + + + +### Configuration/DisableHttpParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableHttpParsing +``` + + + +This setting disables HTTP Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | HTTP parsing is disabled | +| 0 (Default) | HTTP parsing is enabled | + + + + + + + + + +### Configuration/DisableInboundConnectionFiltering + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableInboundConnectionFiltering +``` + + + +This setting disables Inbound connection filtering for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Inbound connection filtering is disabled | +| 0 | Inbound connection filtering is enabled | + + + + + + + + + +### Configuration/DisableLocalAdminMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableLocalAdminMerge +``` + + + +When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Disable Local Admin Merge | +| 0 | Enable Local Admin Merge | + + + + + + + + + +### Configuration/DisableNetworkProtectionPerfTelemetry + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableNetworkProtectionPerfTelemetry +``` + + + +This setting disables the gathering and send of performance telemetry from Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Network protection telemetry is disabled | +| 0 | Network protection telemetry is enabled | + + + + + + + + + +### Configuration/DisableRdpParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableRdpParsing +``` + + + +This setting disables RDP Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | RDP Parsing is disabled | +| 0 | RDP Parsing is enabled | + + + + + + + + + +### Configuration/DisableSshParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableSshParsing +``` + + + +This setting disables SSH Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | SSH parsing is disabled | +| 0 (Default) | SSH parsing is enabled | + + + + + + + + + +### Configuration/DisableTlsParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableTlsParsing +``` + + + +This setting disables TLS Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | TLS parsing is disabled | +| 0 (Default) | TLS parsing is enabled | + + + + + + + + + +### Configuration/EnableDnsSinkhole + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/EnableDnsSinkhole +``` + + + +This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | DNS Sinkhole is disabled | +| 0 | DNS Sinkhole is enabled | + + + + + + + + + +### Configuration/EnableFileHashComputation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/EnableFileHashComputation +``` + + + +Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disable | +| 1 | Enable | + + + + + + + + + +### Configuration/EngineUpdatesChannel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/EngineUpdatesChannel +``` + + + +Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | +| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. | +| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. | +| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). | +| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | +| 6 | Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. | + + + + + + + + + +### Configuration/ExcludedIpAddresses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses +``` + + + +This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + + + + + + + +### Configuration/HideExclusionsFromLocalAdmins + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalAdmins +``` + + + +This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled. + + + + +> [!NOTE] +> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in Get-MpPreference. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. | +| 0 | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. | + + + + + + + + + +### Configuration/MeteredConnectionUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/MeteredConnectionUpdates +``` + + + +Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Allowed | +| 0 (Default) | Not Allowed | + + + + + + + + + +### Configuration/PassiveRemediation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation +``` + + + +Setting to control automatic remediation for Sense scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation | +| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit | +| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation | + + + + + + + + + +### Configuration/PauseUpdateExpirationTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateExpirationTime +``` + + + +Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/PauseUpdateFlag + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateFlag +``` + + + +Setting to control automatic remediation for Sense scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Update not paused | +| 1 | Update paused | + + + + + + + + + +### Configuration/PauseUpdateStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateStartTime +``` + + + +Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/PlatformUpdatesChannel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PlatformUpdatesChannel +``` + + + +Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | +| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. | +| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. | +| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). | +| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | +| 6 | Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. | + + + + + + + + + +### Configuration/SchedulerRandomizationTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/SchedulerRandomizationTime +``` + + + +This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-23]` | +| Default Value | 4 | + + + + + + + + + +### Configuration/SecurityIntelligenceUpdatesChannel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceUpdatesChannel +``` + + + +Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | +| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). | +| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | + + + + + + + + + +### Configuration/SupportLogLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/SupportLogLocation +``` + + + +The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise. + + + + +Intune Support Log Location setting UI supports three states: + +- Not configured (default) - Doesn't have any impact on the default state of the device. +- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path. +- 0 - Disabled. Turns off the Support log location feature. + +When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. + +More details: + +- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/TamperProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/TamperProtection +``` + + + +Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/TDTFeatureEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/TDTFeatureEnabled +``` + + + +This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. | +| 2 | If you configure this setting to disabled, Intel TDT integration will be turned off. | + + + + + + + + + +### Configuration/ThrottleForScheduledScanOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/ThrottleForScheduledScanOnly +``` + + + +A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | If you enable this setting, CPU throttling will apply only to scheduled scans. | +| 0 | If you disable this setting, CPU throttling will apply to scheduled and custom scans. | + + + + + + + + + +## Detections + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections +``` + + + An interior node to group all threats detected by Windows Defender. + -Supported operation is Get. + + + -**Detections/***ThreatId* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Detections/{ThreatId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId} +``` + + + The ID of a threat that has been detected by Windows Defender. + -Supported operation is Get. + + + -**Detections/*ThreatId*/Name** -The name of the specific threat. + +**Description framework properties**: -The data type is a string. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + -Supported operation is Get. + + + -**Detections/*ThreatId*/URL** -URL link for more threat information. + -The data type is a string. + +#### Detections/{ThreatId}/Category -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Detections/*ThreatId*/Severity** -Threat severity ID. + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Category +``` + -The data type is integer. + +Threat category ID. Supported values: -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 | Invalid | +| 1 | Adware | +| 2 | Spyware | +| 3 | Password stealer | +| 4 | Trojan downloader | +| 5 | Worm | +| 6 | Backdoor | +| 7 | Remote access Trojan | +| 8 | Trojan | +| 9 | Email flooder | +| 10 | Keylogger | +| 11 | Dialer | +| 12 | Monitoring software | +| 13 | Browser modifier | +| 14 | Cookie | +| 15 | Browser plugin | +| 16 | AOL exploit | +| 17 | Nuker | +| 18 | Security disabler | +| 19 | Joke program | +| 20 | Hostile ActiveX control | +| 21 | Software bundler | +| 22 | Stealth modifier | +| 23 | Settings modifier | +| 24 | Toolbar | +| 25 | Remote control software | +| 26 | Trojan FTP | +| 27 | Potential unwanted software | +| 28 | ICQ exploit | +| 29 | Trojan telnet | +| 30 | Exploit | +| 31 | File sharing program | +| 32 | Malware creation tool | +| 33 | Remote control software | +| 34 | Tool | +| 36 | Trojan denial of service | +| 37 | Trojan dropper | +| 38 | Trojan mass mailer | +| 39 | Trojan monitoring software | +| 40 | Trojan proxy server | +| 42 | Virus | +| 43 | Known | +| 44 | Unknown | +| 45 | SPP | +| 46 | Behavior | +| 47 | Vulnerability | +| 48 | Policy | +| 49 | EUS (Enterprise Unwanted Software) | +| 50 | Ransomware | +| 51 | ASR Rule | + -- 0 = Unknown -- 1 = Low -- 2 = Moderate -- 4 = High -- 5 = Severe + + + -Supported operation is Get. + +**Description framework properties**: -**Detections/*ThreatId*/Category** -Threat category ID. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -The data type is integer. + + + -The following table describes the supported values: -

+ -| Value | Description | -|-------|-----------------------------| -| 0 | Invalid | -| 1 | Adware | -| 2 | Spyware | -| 3 | Password stealer | -| 4 | Trojan downloader | -| 5 | Worm | -| 6 | Backdoor | -| 7 | Remote access Trojan | -| 8 | Trojan | -| 9 | Email flooder | -| 10 | Key logger | -| 11 | Dialer | -| 12 | Monitoring software | -| 13 | Browser modifier | -| 14 | Cookie | -| 15 | Browser plugin | -| 16 | AOL exploit | -| 17 | Nuker | -| 18 | Security disabler | -| 19 | Joke program | -| 20 | Hostile ActiveX control | -| 21 | Software bundler | -| 22 | Stealth modifier | -| 23 | Settings modifier | -| 24 | Toolbar | -| 25 | Remote control software | -| 26 | Trojan FTP | -| 27 | Potential unwanted software | -| 28 | ICQ exploit | -| 29 | Trojan telnet | -| 30 | Exploit | -| 31 | File sharing program | -| 32 | Malware creation tool | -| 33 | Remote control software | -| 34 | Tool | -| 36 | Trojan denial of service | -| 37 | Trojan dropper | -| 38 | Trojan mass mailer | -| 39 | Trojan monitoring software | -| 40 | Trojan proxy server | -| 42 | Virus | -| 43 | Known | -| 44 | Unknown | -| 45 | SPP | -| 46 | Behavior | -| 47 | Vulnerability | -| 48 | Policy | -| 49 | EUS (Enterprise Unwanted Software)| -| 50 | Ransomware | -| 51 | ASR Rule | + +#### Detections/{ThreatId}/CurrentStatus -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Detections/*ThreatId*/CurrentStatus** -Information about the current status of the threat. + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/CurrentStatus +``` + -The data type is integer. + +Information about the current status of the threat. The following list shows the supported values: -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 | Active | +| 1 | Action failed | +| 2 | Manual steps required | +| 3 | Full scan required | +| 4 | Reboot required | +| 5 | Remediated with noncritical failures | +| 6 | Quarantined | +| 7 | Removed | +| 8 | Cleaned | +| 9 | Allowed | +| 10 | No Status ( Cleared) | + -- 0 = Active -- 1 = Action failed -- 2 = Manual steps required -- 3 = Full scan required -- 4 = Reboot required -- 5 = Remediated with noncritical failures -- 6 = Quarantined -- 7 = Removed -- 8 = Cleaned -- 9 = Allowed -- 10 = No Status (Cleared) + + + -Supported operation is Get. + +**Description framework properties**: -**Detections/*ThreatId*/CurrentStatus** -Information about the current status of the threat. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -The data type is integer. + + + -The following list shows the supported values: + -- 0 = Active -- 1 = Action failed -- 2 = Manual steps required -- 3 = Full scan required -- 4 = Reboot required -- 5 = Remediated with noncritical failures -- 6 = Quarantined -- 7 = Removed -- 8 = Cleaned -- 9 = Allowed -- 10 = No Status (Cleared) + +#### Detections/{ThreatId}/ExecutionStatus -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Detections/*ThreatId*/ExecutionStatus** + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/ExecutionStatus +``` + + + Information about the execution status of the threat. + -The data type is integer. + + + -The following list shows the supported values: + +**Description framework properties**: -- 0 = Unknown -- 1 = Blocked -- 2 = Allowed -- 3 = Running -- 4 = Not running +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -Supported operation is Get. + + + -**Detections/*ThreatId*/InitialDetectionTime** + + + +#### Detections/{ThreatId}/InitialDetectionTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/InitialDetectionTime +``` + + + The first time this particular threat was detected. + -The data type is a string. + + + -Supported operation is Get. + +**Description framework properties**: -**Detections/*ThreatId*/LastThreatStatusChangeTime** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Detections/{ThreatId}/LastThreatStatusChangeTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/LastThreatStatusChangeTime +``` + + + The last time this particular threat was changed. + -The data type is a string. + + + -Supported operation is Get. + +**Description framework properties**: -**Detections/*ThreatId*/NumberOfDetections** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Detections/{ThreatId}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Name +``` + + + +The name of the specific threat. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Detections/{ThreatId}/NumberOfDetections + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/NumberOfDetections +``` + + + Number of times this threat has been detected on a particular client. + -The data type is integer. + + + -Supported operation is Get. + +**Description framework properties**: -**EnableNetworkProtection** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources. -The acceptable values for this parameter are: -- 0: Disabled. The Network Protection service won't block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections. -- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service. -- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log. + + + -Accepted values: Disabled, Enabled, and AuditMode -Position: Named -Default value: Disabled -Accept pipeline input: False -Accept wildcard characters: False + -**EnableNetworkProtection/AllowNetworkProtectionDownLevel** + +#### Detections/{ThreatId}/Severity -By default, network protection isn't allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**EnableNetworkProtection/AllowNetworkProtectionOnWinServer** + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Severity +``` + -By default, network protection isn't allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. + +Threat severity ID. The following list shows the supported values: -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False +| Value | Description | +|:--|:--| +| 0 | Unknown | +| 1 | Low | +| 2 | Moderate | +| 4 | High | +| 5 | Severe | + -**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry** + + + -Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true". + +**Description framework properties**: -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -**EnableNetworkProtection/DisableDatagramProcessing** + + + -Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true". + -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False + +#### Detections/{ThreatId}/URL -**EnableNetworkProtection/DisableInboundConnectionFiltering** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Network Protection inspects and can block both connections that originate from the host machine, and those connections that originate from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true". + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/URL +``` + -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False + +URL link for additional threat information. + -**EnableNetworkProtection/EnableDnsSinkhole** + + + -Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS-based malicious attacks. Set this configuration to "$true" to enable this feature. + +**Description framework properties**: -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -**EnableNetworkProtection/DisableDnsOverTcpParsing** + + + -Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true". + -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False + +## Health -**EnableNetworkProtection/DisableDnsParsing** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true". + +```Device +./Device/Vendor/MSFT/Defender/Health +``` + -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**EnableNetworkProtection/DisableHttpParsing** - -Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**EnableNetworkProtection/DisableRdpParsing** - -Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". - -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**EnableNetworkProtection/DisableSshParsing** - -Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". - -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**EnableNetworkProtection/DisableTlsParsing** - -Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**Health** + An interior node to group information about Windows Defender health status. + -Supported operation is Get. + + + -**Health/ProductStatus** -Added in Windows 10, version 1809. Provide the current state of the product. This value is a bitmask flag value that can represent one or multiple product states from below list. + +**Description framework properties**: -The data type is integer. Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported product status values: -- No status = 0 -- Service not running = 1 << 0 -- Service started without any malware protection engine = 1 << 1 -- Pending full scan due to threat action = 1 << 2 -- Pending reboot due to threat action = 1 << 3 -- ending manual steps due to threat action = 1 << 4 -- AV signatures out of date = 1 << 5 -- AS signatures out of date = 1 << 6 -- No quick scan has happened for a specified period = 1 << 7 -- No full scan has happened for a specified period = 1 << 8 -- System initiated scan in progress = 1 << 9 -- System initiated clean in progress = 1 << 10 -- There are samples pending submission = 1 << 11 -- Product running in evaluation mode = 1 << 12 -- Product running in non-genuine Windows mode = 1 << 13 -- Product expired = 1 << 14 -- Off-line scan required = 1 << 15 -- Service is shutting down as part of system shutdown = 1 << 16 -- Threat remediation failed critically = 1 << 17 -- Threat remediation failed non-critically = 1 << 18 -- No status flags set (well-initialized state) = 1 << 19 -- Platform is out of date = 1 << 20 -- Platform update is in progress = 1 << 21 -- Platform is about to be outdated = 1 << 22 -- Signature or platform end of life is past or is impending = 1 << 23 -- Windows SMode signatures still in use on non-Win10S install = 1 << 24 + + + -Example: + + + +### Health/ComputerState + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/ComputerState +``` + + + +Provide the current state of the device. The following list shows the supported values: + +| Value | Description | +|:--|:--| +| 0 | Clean | +| 1 | Pending full scan | +| 2 | Pending reboot | +| 4 | Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) | +| 8 | Pending offline scan | +| 16 | Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) | + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Health/DefenderEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/DefenderEnabled +``` + + + +Indicates whether the Windows Defender service is running. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/DefenderVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/DefenderVersion +``` + + + +Version number of Windows Defender on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/EngineVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/EngineVersion +``` + + + +Version number of the current Windows Defender engine on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/FullScanOverdue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/FullScanOverdue +``` + + + +Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/FullScanRequired + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/FullScanRequired +``` + + + +Indicates whether a Windows Defender full scan is required. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/FullScanSigVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/FullScanSigVersion +``` + + + +Signature version used for the last full scan of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/FullScanTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/FullScanTime +``` + + + +Time of the last Windows Defender full scan of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/IsVirtualMachine + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/IsVirtualMachine +``` + + + +Indicates whether the device is a virtual machine. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/NisEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/NisEnabled +``` + + + +Indicates whether network protection is running. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/ProductStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/ProductStatus +``` + + + +Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values: + +| Value | Description | +|:--|:--| +| 0 | No status | +| 1 (1 << 0) | Service not running | +| 2 (1 << 1) | Service started without any malware protection engine | +| 4 (1 << 2) | Pending full scan due to threat action | +| 8 (1 << 3) | Pending reboot due to threat action | +| 16 (1 << 4) | ending manual steps due to threat action | +| 32 (1 << 5) | AV signatures out of date | +| 64 (1 << 6) | AS signatures out of date | +| 128 (1 << 7) | No quick scan has happened for a specified period | +| 256 (1 << 8) | No full scan has happened for a specified period | +| 512 (1 << 9) | System initiated scan in progress | +| 1024 (1 << 10) | System initiated clean in progress | +| 2048 (1 << 11) | There are samples pending submission | +| 4096 (1 << 12) | Product running in evaluation mode | +| 8192 (1 << 13) | Product running in non-genuine Windows mode | +| 16384 (1 << 14) | Product expired | +| 32768 (1 << 15) | Off-line scan required | +| 65536 (1 << 16) | Service is shutting down as part of system shutdown | +| 131072 (1 << 17) | Threat remediation failed critically | +| 262144 (1 << 18) | Threat remediation failed non-critically | +| 524288 (1 << 19) | No status flags set (well initialized state) | +| 1048576 (1 << 20) | Platform is out of date | +| 2097152 (1 << 21) | Platform update is in progress | +| 4194304 (1 << 22) | Platform is about to be outdated | +| 8388608 (1 << 23) | Signature or platform end of life is past or is impending | +| 16777216 (1 << 24) | Windows SMode signatures still in use on non-Win10S install | + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + +**Example**: ```xml @@ -456,421 +3111,522 @@ Example: ``` + -**Health/ComputerState** -Provide the current state of the device. + -The data type is integer. + +### Health/QuickScanOverdue -The following list shows the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -- 0 = Clean -- 1 = Pending full scan -- 2 = Pending reboot -- 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) -- 8 = Pending offline scan -- 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) + +```Device +./Device/Vendor/MSFT/Defender/Health/QuickScanOverdue +``` + -Supported operation is Get. + +Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default). + -**Health/DefenderEnabled** -Indicates whether the Windows Defender service is running. + + + -The data type is a Boolean. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + -**Health/RtpEnabled** -Indicates whether real-time protection is running. + + + -The data type is a Boolean. + -Supported operation is Get. + +### Health/QuickScanSigVersion -**Health/NisEnabled** -Indicates whether network protection is running. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -The data type is a Boolean. + +```Device +./Device/Vendor/MSFT/Defender/Health/QuickScanSigVersion +``` + -Supported operation is Get. - -**Health/QuickScanOverdue** -Indicates whether a Windows Defender quick scan is overdue for the device. - -A Quick scan is overdue when a scheduled Quick scan didn't complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default). - -The data type is a Boolean. - -Supported operation is Get. - -**Health/FullScanOverdue** -Indicates whether a Windows Defender full scan is overdue for the device. - -A Full scan is overdue when a scheduled Full scan didn't complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default). - -The data type is a Boolean. - -Supported operation is Get. - -**Health/SignatureOutOfDate** -Indicates whether the Windows Defender signature is outdated. - -The data type is a Boolean. - -Supported operation is Get. - -**Health/RebootRequired** -Indicates whether a device reboot is needed. - -The data type is a Boolean. - -Supported operation is Get. - -**Health/FullScanRequired** -Indicates whether a Windows Defender full scan is required. - -The data type is a Boolean. - -Supported operation is Get. - -**Health/EngineVersion** -Version number of the current Windows Defender engine on the device. - -The data type is a string. - -Supported operation is Get. - -**Health/SignatureVersion** -Version number of the current Windows Defender signatures on the device. - -The data type is a string. - -Supported operation is Get. - -**Health/DefenderVersion** -Version number of Windows Defender on the device. - -The data type is a string. - -Supported operation is Get. - -**Health/QuickScanTime** -Time of the last Windows Defender quick scan of the device. - -The data type is a string. - -Supported operation is Get. - -**Health/FullScanTime** -Time of the last Windows Defender full scan of the device. - -The data type is a string. - -Supported operation is Get. - -**Health/QuickScanSigVersion** + Signature version used for the last quick scan of the device. + -The data type is a string. + + + -Supported operation is Get. - -**Health/FullScanSigVersion** -Signature version used for the last full scan of the device. - -The data type is a string. - -Supported operation is Get. - -**Health/TamperProtectionEnabled** -Indicates whether the Windows Defender tamper protection feature is enabled.​ - -The data type is a Boolean. - -Supported operation is Get. - -**Health/IsVirtualMachine** -Indicates whether the device is a virtual machine. - -The data type is a string. - -Supported operation is Get. - -**Configuration** -An interior node to group Windows Defender configuration information. - -Supported operation is Get. - -**Configuration/TamperProtection** - -Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. - - -Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. - -The data type is a Signed BLOB. - -Supported operations are Add, Delete, Get, Replace. - -Intune tamper protection setting UX supports three states: -- Not configured (default): Doesn't have any impact on the default state of the device. -- Enabled: Enables the tamper protection feature. -- Disabled: Turns off the tamper protection feature. - -When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. - -**Configuration/DisableLocalAdminMerge**
-This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list. - -If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings. - -If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator. - -> [!NOTE] -> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**. - -Supported OS versions: Windows 10 - -The data type is integer. - -Supported operations are Add, Delete, Get, Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/HideExclusionsFromLocalAdmins**
- -This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled. - -If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell. - -If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell. - -> [!NOTE] -> Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. - -Supported OS versions: Windows 10 - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/DisableCpuThrottleOnIdleScans**
- -Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 (default) – Enable. -- 0 – Disable. - -**Configuration/MeteredConnectionUpdates**
-Allow managed devices to update through metered connections. Data charges may apply. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/AllowNetworkProtectionOnWinServer**
-This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/ExclusionIpAddress**
-Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses. - -The data type is string. - -Supported operations are Add, Delete, Get, and Replace. - -**Configuration/EnableFileHashComputation** -Enables or disables file hash computation feature. -When this feature is enabled, Windows Defender will compute hashes for files it scans. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/SupportLogLocation** -The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise. - -Data type is string. - -Supported operations are Add, Delete, Get, and Replace. - -Intune Support log location setting UX supports three states: - -- Not configured (default) - Doesn't have any impact on the default state of the device. -- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path. -- 0 - Disabled. Turns off the Support log location feature. - -When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. - -More details: - -- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) -- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) - -**Configuration/PlatformUpdatesChannel** -Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. - -Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - -Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only - -If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 0: Not configured (Default) -- 2: Beta Channel - Prerelease -- 3: Current Channel (Preview) -- 4: Current Channel (Staged) -- 5: Current Channel (Broad) -- 6: Critical- Time Delay - - -More details: - -- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) -- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) - -**Configuration/EngineUpdatesChannel** -Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. - -Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - -Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only - -If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 0: Not configured (Default) -- 2: Beta Channel - Prerelease -- 3: Current Channel (Preview) -- 4: Current Channel (Staged) -- 5: Current Channel (Broad) -- 6: Critical- Time Delay - -More details: - -- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) -- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) - -**Configuration/SecurityIntelligenceUpdatesChannel** -Enable this policy to specify when devices receive daily Microsoft Defender security intelligence (definition) updates during the daily gradual rollout. - -Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. - -The data type is integer. -Supported operations are Add, Delete, Get, and Replace. - -Valid Values are: -- 0: Not configured (Default) -- 4: Current Channel (Staged) -- 5: Current Channel (Broad) - -More details: - -- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) -- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) - -**Configuration/DisableGradualRelease** -Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates. -Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This facility for devices is best for datacenters that only receive limited updates. - -> [!NOTE] -> This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates. - -If you disable or don't configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enabled. -- 0 (default) – Not Configured. - -More details: - -- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) -- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) - -**Configuration/PassiveRemediation** -This policy setting enables or disables EDR in block mode (recommended for devices running Microsoft Defender Antivirus in passive mode). For more information, see Endpoint detection and response in block mode | Microsoft Docs. Available with platform release: 4.18.2202.X - -The data type is integer - -Supported values: -- 1: Turn EDR in block mode on -- 0: Turn EDR in block mode off - - -**Scan** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/QuickScanTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/QuickScanTime +``` + + + +Time of the last Windows Defender quick scan of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/RebootRequired + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/RebootRequired +``` + + + +Indicates whether a device reboot is needed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/RtpEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/RtpEnabled +``` + + + +Indicates whether real-time protection is running. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/SignatureOutOfDate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/SignatureOutOfDate +``` + + + +Indicates whether the Windows Defender signature is outdated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/SignatureVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/SignatureVersion +``` + + + +Version number of the current Windows Defender signatures on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/TamperProtectionEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/TamperProtectionEnabled +``` + + + +Indicates whether the Windows Defender tamper protection feature is enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +## OfflineScan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/OfflineScan +``` + + + +OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | +| Reboot Behavior | ServerInitiated | + + + + + + + + + +## RollbackEngine + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/RollbackEngine +``` + + + +RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | +| Reboot Behavior | ServerInitiated | + + + + + + + + + +## RollbackPlatform + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/RollbackPlatform +``` + + + +RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | +| Reboot Behavior | ServerInitiated | + + + + + + + + + +## Scan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Scan +``` + + + Node that can be used to start a Windows Defender scan on a device. + -Valid values are: -- 1 - quick scan -- 2 - full scan + + + -Supported operations are Get and Execute. + +**Description framework properties**: -**UpdateSignature** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | quick scan | +| 2 | full scan | + + + + + + + + + +## UpdateSignature + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/UpdateSignature +``` + + + Node that can be used to perform signature updates for Windows Defender. + -Supported operations are Get and Execute. + + + -**OfflineScan** -Added in Windows 10, version 1803. OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan. + +**Description framework properties**: -Supported operations are Get and Execute. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | + -## See also + + + -[Configuration service provider reference](index.yml) + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 03f96374f6..661c491b22 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -1,35 +1,748 @@ --- title: Defender DDF file -description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/02/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 07/23/2021 +ms.topic: reference --- + + # Defender DDF file -This article shows the OMA DM device description framework (DDF) for the Defender configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the Defender configuration service provider. ```xml -]> +]> 1.2 + + + + Defender + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB; + + + + Detections + + + + + An interior node to group all threats detected by Windows Defender. + + + + + + + + + + + + + - Defender - ./Vendor/MSFT + + + + + + + The ID of a threat that has been detected by Windows Defender. + + + + + + + + + + ThreatId + + + + + + + + + Name + + + + + The name of the specific threat. + + + + + + + + + + + + + + + + URL + + + + + URL link for additional threat information. + + + + + + + + + + + + + + + + Severity + + + + + Threat severity ID. The following list shows the supported values: 0 = Unknown; 1 = Low; 2 = Moderate; 4 = High; 5 = Severe; + + + + + + + + + + + + + + + + Category + + + + + Threat category ID. Supported values: 0-Invalid; 1-Adware; 2-Spyware; 3-Password stealer; 4-Trojan downloader; 5-Worm; 6-Backdoor; 7-Remote access Trojan; 8-Trojan; 9-Email flooder; 10-Keylogger; 11-Dialer; 12-Monitoring software; 13-Browser modifier; 14-Cookie; 15-Browser plugin; 16-AOL exploit; 17-Nuker; 18-Security disabler; 19-Joke program; 20-Hostile ActiveX control; 21-Software bundler; 22-Stealth modifier; 23-Settings modifier; 24-Toolbar; 25-Remote control software; 26-Trojan FTP; 27-Potential unwanted software; 28-ICQ exploit; 29-Trojan telnet; 30-Exploit; 31-File sharing program; 32-Malware creation tool; 33-Remote control software; 34-Tool; 36-Trojan denial of service; 37-Trojan dropper; 38-Trojan mass mailer; 39-Trojan monitoring software; 40-Trojan proxy server; 42-Virus; 43-Known; 44-Unknown; 45-SPP; 46-Behavior; 47-Vulnerability; 48-Policy; 49-EUS (Enterprise Unwanted Software); 50-Ransomware; 51-ASR Rule + + + + + + + + + + + + + + + + CurrentStatus + + + + + Information about the current status of the threat. The following list shows the supported values: 0 = Active; 1 = Action failed; 2 = Manual steps required; 3 = Full scan required; 4 = Reboot required; 5 = Remediated with noncritical failures; 6 = Quarantined; 7 = Removed; 8 = Cleaned; 9 = Allowed; 10 = No Status ( Cleared) + + + + + + + + + + + + + + + + ExecutionStatus + + + + + Information about the execution status of the threat. + + + + + + + + + + + + + + + + InitialDetectionTime + + + + + The first time this particular threat was detected. + + + + + + + + + + + + + + + + LastThreatStatusChangeTime + + + + + The last time this particular threat was changed. + + + + + + + + + + + + + + + + NumberOfDetections + + + + + Number of times this threat has been detected on a particular client. + + + + + + + + + + + + + + + + + + Health + + + + + An interior node to group information about Windows Defender health status. + + + + + + + + + + + + + + + ProductStatus + + + + + + + + + + + + + + + + + + + 10.0.17763 + 1.2 + + + + + ComputerState + + + + + Provide the current state of the device. The following list shows the supported values: 0 = Clean; 1 = Pending full scan; 2 = Pending reboot; 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan); 8 = Pending offline scan; 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) + + + + + + + + + + + + + + + + DefenderEnabled + + + + + Indicates whether the Windows Defender service is running. + + + + + + + + + + + + + + + + RtpEnabled + + + + + Indicates whether real-time protection is running. + + + + + + + + + + + + + + + + NisEnabled + + + + + Indicates whether network protection is running. + + + + + + + + + + + + + + + + QuickScanOverdue + + + + + Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default). + + + + + + + + + + + + + + + + FullScanOverdue + + + + + Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default). + + + + + + + + + + + + + + + + SignatureOutOfDate + + + + + Indicates whether the Windows Defender signature is outdated. + + + + + + + + + + + + + + + + RebootRequired + + + + + Indicates whether a device reboot is needed. + + + + + + + + + + + + + + + + FullScanRequired + + + + + Indicates whether a Windows Defender full scan is required. + + + + + + + + + + + + + + + + EngineVersion + + + + + Version number of the current Windows Defender engine on the device. + + + + + + + + + + + + + + + + SignatureVersion + + + + + Version number of the current Windows Defender signatures on the device. + + + + + + + + + + + + + + + + DefenderVersion + + + + + Version number of Windows Defender on the device. + + + + + + + + + + + + + + + + QuickScanTime + + + + + Time of the last Windows Defender quick scan of the device. + + + + + + + + + + + + + + + + FullScanTime + + + + + Time of the last Windows Defender full scan of the device. + + + + + + + + + + + + + + + + QuickScanSigVersion + + + + + Signature version used for the last quick scan of the device. + + + + + + + + + + + + + + + + FullScanSigVersion + + + + + Signature version used for the last full scan of the device. + + + + + + + + + + + + + + + + TamperProtectionEnabled + + + + + Indicates whether the Windows Defender tamper protection feature is enabled. + + + + + + + + + + + + + + 10.0.18362 + 1.3 + + + + + IsVirtualMachine + + + + + Indicates whether the device is a virtual machine. + + + + + + + + + + + + + + 10.0.18362 + 1.3 + + + + + + Configuration + + + + + An interior node to group Windows Defender configuration information. + + + + + + + + + + + + + + 10.0.18362 + 1.3 + + + + DeviceControl @@ -41,14 +754,18 @@ The XML below is the current version for this CSP. - + - com.microsoft/1.3/MDM/Defender + + + 10.0.17763 + 1.3 + - Detections + PolicyGroups @@ -63,14 +780,18 @@ The XML below is the current version for this CSP. - + - + + + + + @@ -81,16 +802,19 @@ The XML below is the current version for this CSP. - ThreatId + GroupId - + - Name + GroupData + + + @@ -102,174 +826,14 @@ The XML below is the current version for this CSP. - text/plain - - - - - URL - - - - - - - - - - - - - - - text/plain - - - - - Severity - - - - - - - - - - - - - - - text/plain - - - - - Category - - - - - - - - - - - - - - - text/plain - - - - - CurrentStatus - - - - - - - - - - - - - - - text/plain - - - - - ExecutionStatus - - - - - - - - - - - - - - - text/plain - - - - - InitialDetectionTime - - - - - - - - - - - - - - - text/plain - - - - - LastThreatStatusChangeTime - - - - - - - - - - - - - - - text/plain - - - - - NumberOfDetections - - - - - - - - - - - - - - - text/plain + - Health + PolicyRules @@ -284,480 +848,61 @@ The XML below is the current version for this CSP. - + - ProductStatus + + + + + - + - + + RuleId - text/plain - - - - - ComputerState - - - - - - - - - - - - - - - text/plain - - - - - DefenderEnabled - - - - - - - - - - - - - - - text/plain - - - - - RtpEnabled - - - - - - - - - - - - - - - text/plain - - - - - NisEnabled - - - - - - - - - - - - - - - text/plain - - - - - QuickScanOverdue - - - - - - - - - - - - - - - text/plain - - - - - FullScanOverdue - - - - - - - - - - - - - - - text/plain - - - - - SignatureOutOfDate - - - - - - - - - - - - - - - text/plain - - - - - RebootRequired - - - - - - - - - - - - - - - text/plain - - - - - FullScanRequired - - - - - - - - - - - - - - - text/plain - - - - - EngineVersion - - - - - - - - - - - - - - - text/plain - - - - - SignatureVersion - - - - - - - - - - - - - - - text/plain - - - - - DefenderVersion - - - - - - - - - - - - - - - text/plain - - - - - QuickScanTime - - - - - - - - - - - - - - - text/plain - - - - - FullScanTime - - - - - - - - - - - - - - - text/plain - - - - - QuickScanSigVersion - - - - - - - - - - - - - - - text/plain - - - - - FullScanSigVersion - - - - - - - - - - - - - - - text/plain - - - - - TamperProtectionEnabled - - - - - - - - - - - - - - - text/plain - - - - - IsVirtualMachine - - - - - - - - - - - - - - - text/plain + + + RuleData + + + + + + + + + + + + + + + + + + + + + - - Configuration - - - - - - - - - - - - - - - - - - - TamperProtection - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableFileHashComputation - - - - - - - - - - - - - - - - - - text/plain - - - - - SupportLogLocation - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableGradualRelease + + + TamperProtection @@ -765,7 +910,34 @@ The XML below is the current version for this CSP. - Enable this policy to disable gradual rollout of Defender updates. + Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob. + + + + + + + + + + + + + + + + + + EnableFileHashComputation + + + + + + + + 0 + Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. @@ -776,26 +948,22 @@ The XML below is the current version for this CSP. - text/plain + - - 99.9.99999 - 1.3 - - - - 1 - Gradual release is disabled - - - 0 - Gradual release is enabled - - + + + 0 + Disable + + + 1 + Enable + + - - DefinitionUpdatesChannel + + MeteredConnectionUpdates @@ -803,7 +971,8 @@ The XML below is the current version for this CSP. - Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + 0 + Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed @@ -814,30 +983,25 @@ The XML below is the current version for this CSP. - text/plain + - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - + + 10.0.14393 + + + + 1 + Allowed + + + 0 + Not Allowed + + - - EngineUpdatesChannel + + SupportLogLocation @@ -845,7 +1009,38 @@ The XML below is the current version for this CSP. - Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise. + + + + + + + + + + + + + + 10.0.14393 + 9.9 + + + + + + + AllowNetworkProtectionOnWinServer + + + + + + + + 1 + This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. @@ -856,37 +1051,399 @@ The XML below is the current version for this CSP. - text/plain + - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 2 - Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - - - 3 - Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - + + 10.0.16299 + 1.3 + + + + 1 + Allow + + + 0 + Disallow + + - + + ExcludedIpAddresses + + + + + + + + This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + + + + + DisableCpuThrottleOnIdleScans + + + + + + + + 1 + Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Disable CPU Throttle on idle scans + + + 0 + Enable CPU Throttle on idle scans + + + + + + DisableLocalAdminMerge + + + + + + + + When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Disable Local Admin Merge + + + 0 + Enable Local Admin Merge + + + + + + SchedulerRandomizationTime + + + + + + + + 4 + This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + [1-23] + + + + + DisableTlsParsing + + + + + + + + 0 + This setting disables TLS Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + TLS parsing is disabled + + + 0 + TLS parsing is enabled + + + + + + DisableFtpParsing + + + + + + + + 0 + This setting disables FTP Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + FTP parsing is disabled + + + 0 + FTP parsing is enabled + + + + + + DisableHttpParsing + + + + + + + + 0 + This setting disables HTTP Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + HTTP parsing is disabled + + + 0 + HTTP parsing is enabled + + + + + + DisableDnsParsing + + + + + + + + 0 + This setting disables DNS Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + DNS parsing is disabled + + + 0 + DNS parsing is enabled + + + + + + DisableDnsOverTcpParsing + + + + + + + + 0 + This setting disables DNS over TCP Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + DNS over TCP parsing is disabled + + + 0 + DNS over TCP parsing is enabled + + + + + + DisableSshParsing + + + + + + + + 0 + This setting disables SSH Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + SSH parsing is disabled + + + 0 + SSH parsing is enabled + + + + + PlatformUpdatesChannel @@ -906,104 +1463,966 @@ The XML below is the current version for this CSP. - text/plain + - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 2 - Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - - - 3 - Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - + + 10.0.14393 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + 6 + Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. + + - - - Scan - - - - - - - - - - - - - - - - text/plain - - - - - UpdateSignature - - - - - - - - - - - - - - - - text/plain - - - - - OfflineScan - - - - - - - - - - - - - - - - text/plain - - - + + EngineUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + 6 + Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. + + + + + SecurityIntelligenceUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 4 + Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + + + DisableGradualRelease + + + + + + + + Enable this policy to disable gradual rollout of Defender updates. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Gradual release is disabled + + + 0 + Gradual release is enabled + + + + + + AllowNetworkProtectionDownLevel + + + + + + + + This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Network protection will be enabled downlevel. + + + 0 + Network protection will be disabled downlevel. + + + + + + EnableDnsSinkhole + + + + + + + + This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + DNS Sinkhole is disabled + + + 0 + DNS Sinkhole is enabled + + + + + + DisableInboundConnectionFiltering + + + + + + + + This setting disables Inbound connection filtering for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Inbound connection filtering is disabled + + + 0 + Inbound connection filtering is enabled + + + + + + DisableRdpParsing + + + + + + + + This setting disables RDP Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + RDP Parsing is disabled + + + 0 + RDP Parsing is enabled + + + + + + AllowDatagramProcessingOnWinServer + + + + + + + + This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Datagram processing on Windows Server is enabled. + + + 0 + Datagram processing on Windows Server is disabled. + + + + + + DisableNetworkProtectionPerfTelemetry + + + + + + + + This setting disables the gathering and send of performance telemetry from Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Network protection telemetry is disabled + + + 0 + Network protection telemetry is enabled + + + + + + HideExclusionsFromLocalAdmins + + + + + + + + This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + 1 + If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. + + + 0 + If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. + + + + + + ThrottleForScheduledScanOnly + + + + + + + + 1 + A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + If you enable this setting, CPU throttling will apply only to scheduled scans. + + + 0 + If you disable this setting, CPU throttling will apply to scheduled and custom scans. + + + + + + ASROnlyPerRuleExclusions + + + + + + + + Apply ASR only per rule exclusions. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + + + + DataDuplicationDirectory + + + + + + + + Define data duplication directory for device control. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + + + + DataDuplicationRemoteLocation + + + + + + + + Define data duplication remote location for device control. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + + + + DeviceControlEnabled + + + + + + + + Control Device Control feature. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + 1 + + + + + 0 + + + + + + + + DefaultEnforcement + + + + + + + + Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + 1 + Default Allow Enforcement + + + 2 + Default Deny Enforcement + + + + + + PassiveRemediation + + + + + + + + Setting to control automatic remediation for Sense scans. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0x1 + PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation + + + 0x2 + PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit + + + 0x4 + PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation + + + + + + PauseUpdateStartTime + + + + + + + + Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + + + + PauseUpdateExpirationTime + + + + + + + + Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + + + + PauseUpdateFlag + + + + + + + + Setting to control automatic remediation for Sense scans. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0 + Update not paused + + + 1 + Update paused + + + + + + TDTFeatureEnabled + + + + + + + + 0 + This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices. + + + + + + + + + + + + + + 10.0.19041 + 1.3 + + + + 0 + If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. + + + 2 + If you configure this setting to disabled, Intel TDT integration will be turned off. + + + + + + + Scan + + + + + + Node that can be used to start a Windows Defender scan on a device. + + + + + + + + + + + + + + + 1 + quick scan + + + 2 + full scan + + + + + + UpdateSignature + + + + + + Node that can be used to perform signature updates for Windows Defender. + + + + + + + + + + + + + + + + OfflineScan + + + + + + OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan. + + + + + + + + + + + + + + 10.0.17134 + 1.1 + + ServerInitiated + + + + RollbackPlatform + + + + + + RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command. + + + + + + + + + + + + + + 10.0.17134 + 1.1 + + ServerInitiated + + + + RollbackEngine + + + + + + RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. + + + + + + + + + + + + + + 10.0.17134 + 1.1 + + ServerInitiated + + + ``` -## See also +## Related articles -[Defender configuration service provider](defender-csp.md) +[Defender configuration service provider reference](defender-csp.md) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 86f5334e40..3a3a87afe4 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -277,7 +277,7 @@ Specifies whether to allow Azure RMS encryption for Windows Information Protecti Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list. +Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-csp-networkisolation.md) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-csp-networkisolation.md). Use semicolon (;) delimiter in the list. When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. Supported operations are Add, Get, Replace and Delete. Value type is string. diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index fe657489a9..d8bd8ed982 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -6,11 +6,10 @@ summary: Learn more about the configuration service provider (CSP) policies avai metadata: title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - ms.topic: landing-page # Required - services: windows-10 - ms.prod: windows + ms.topic: landing-page + ms.technology: itpro-manage + ms.prod: windows-client ms.collection: - - windows-10 - highpri ms.custom: intro-hub-or-landing author: vinaypamnani-msft diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index b683f12d06..0224b374cf 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1,1913 +1,3028 @@ --- title: ADMX-backed policies in Policy CSP description: Learn about the ADMX-backed policies in Policy CSP. -ms.reviewer: +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/08/2020 +ms.topic: reference --- + + # ADMX-backed policies in Policy CSP -- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [ADMX_ActiveXInstallService/AxISURLZonePolicies](./policy-csp-admx-activexinstallservice.md#admx-activexinstallservice-axisurlzonepolicies) -- [ADMX_AddRemovePrograms/DefaultCategory](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) -- [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy) -- [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet) -- [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork) -- [ADMX_AddRemovePrograms/NoAddPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddpage) -- [ADMX_AddRemovePrograms/NoAddRemovePrograms](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddremoveprograms) -- [ADMX_AddRemovePrograms/NoChooseProgramsPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nochooseprogramspage) -- [ADMX_AddRemovePrograms/NoRemovePage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noremovepage) -- [ADMX_AddRemovePrograms/NoServices](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices) -- [ADMX_AddRemovePrograms/NoSupportInfo](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo) -- [ADMX_AddRemovePrograms/NoWindowsSetupPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage) -- [ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_dontallowpwdexpirationbehindpolicy) -- [ADMX_AdmPwd/POL_AdmPwd_Enabled](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_enabled) -- [ADMX_AdmPwd/POL_AdmPwd_AdminName](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_adminname) -- [ADMX_AdmPwd/POL_AdmPwd](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd) -- [ADMX_AppCompat/AppCompatPrevent16BitMach](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach) -- [ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage) -- [ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry) -- [ADMX_AppCompat/AppCompatTurnOffSwitchBack](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffswitchback) -- [ADMX_AppCompat/AppCompatTurnOffEngine](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffengine) -- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1) -- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2) -- [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) -- [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) -- [ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles](./policy-csp-admx-appxpackagemanager.md#admx-appxpackagemanager-allowdeploymentinspecialprofiles) -- [ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeapplicationcontenturirules) -- [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation) -- [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt) -- [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation) -- [ADMX_AttachmentManager/AM_EstimateFileHandlerRisk](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-estimatefilehandlerrisk) -- [ADMX_AttachmentManager/AM_SetFileRiskLevel](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setfilerisklevel) -- [ADMX_AttachmentManager/AM_SetHighRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-sethighriskinclusion) -- [ADMX_AttachmentManager/AM_SetLowRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setlowriskinclusion) -- [ADMX_AttachmentManager/AM_SetModRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setmodriskinclusion) -- [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) -- [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) -- [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) -- [ADMX_Bits/BITS_DisablePeercachingServer](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingserver) -- [ADMX_Bits/BITS_EnablePeercaching](./policy-csp-admx-bits.md#admx-bits-bits-enablepeercaching) -- [ADMX_Bits/BITS_MaxBandwidthServedForPeers](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthservedforpeers) -- [ADMX_Bits/BITS_MaxBandwidthV2_Maintenance](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-maintenance) -- [ADMX_Bits/BITS_MaxBandwidthV2_Work](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-work) -- [ADMX_Bits/BITS_MaxCacheSize](./policy-csp-admx-bits.md#admx-bits-bits-maxcachesize) -- [ADMX_Bits/BITS_MaxContentAge](./policy-csp-admx-bits.md#admx-bits-bits-maxcontentage) -- [ADMX_Bits/BITS_MaxDownloadTime](./policy-csp-admx-bits.md#admx-bits-bits-maxdownloadtime) -- [ADMX_Bits/BITS_MaxFilesPerJob](./policy-csp-admx-bits.md#admx-bits-bits-maxfilesperjob) -- [ADMX_Bits/BITS_MaxJobsPerMachine](./policy-csp-admx-bits.md#admx-bits-bits-maxjobspermachine) -- [ADMX_Bits/BITS_MaxJobsPerUser](./policy-csp-admx-bits.md#admx-bits-bits-maxjobsperuser) -- [ADMX_Bits/BITS_MaxRangesPerFile](./policy-csp-admx-bits.md#admx-bits-bits-maxrangesperfile) -- [ADMX_CipherSuiteOrder/SSLCipherSuiteOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslciphersuiteorder) -- [ADMX_CipherSuiteOrder/SSLCurveOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslcurveorder) -- [ADMX_COM/AppMgmt_COM_SearchForCLSID_1](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-1) -- [ADMX_COM/AppMgmt_COM_SearchForCLSID_2](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-2) -- [ADMX_ControlPanel/DisallowCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-disallowcpls) -- [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel) -- [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel) -- [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls) -- [ADMX_ControlPanelDisplay/CPL_Display_Disable](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-disable) -- [ADMX_ControlPanelDisplay/CPL_Display_HideSettings](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-hidesettings) -- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablecolorschemechoice) -- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablethemechange) -- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablevisualstyle) -- [ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-enablescreensaver) -- [ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen) -- [ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-lockfontsize) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nolockscreen) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nomousepointersui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-noscreensaverui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nosoundschemeui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-personalcolors) -- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensaverissecure) -- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensavertimeout) -- [ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setscreensaver) -- [ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-settheme) -- [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle) -- [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) -- [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) -- [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock) -- [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider) -- [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders) -- [ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowdefcredentialswhenntlmonly) -- [ADMX_CredSsp/AllowDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowdefaultcredentials) -- [ADMX_CredSsp/AllowEncryptionOracle](./policy-csp-admx-credssp.md#admx-credssp-allowencryptionoracle) -- [ADMX_CredSsp/AllowFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentials) -- [ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentialswhenntlmonly) -- [ADMX_CredSsp/AllowSavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentials) -- [ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentialswhenntlmonly) -- [ADMX_CredSsp/DenyDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-denydefaultcredentials) -- [ADMX_CredSsp/DenyFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-denyfreshcredentials) -- [ADMX_CredSsp/DenySavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-denysavedcredentials) -- [ADMX_CredSsp/RestrictedRemoteAdministration](./policy-csp-admx-credssp.md#admx-credssp-restrictedremoteadministration) -- [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting) -- [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions) -- [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) -- [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) -- [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr) -- [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff) -- [ADMX_DataCollection/CommercialIdPolicy](./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy) -- [ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckallowlocallist) -- [ADMX_DCOM/DCOMActivationSecurityCheckExemptionList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckexemptionlist) -- [ADMX_Desktop/AD_EnableFilter](./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter) -- [ADMX_Desktop/AD_HideDirectoryFolder](./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder) -- [ADMX_Desktop/AD_QueryLimit](./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit) -- [ADMX_Desktop/ForceActiveDesktopOn](./policy-csp-admx-desktop.md#admx-desktop-forceactivedesktopon) -- [ADMX_Desktop/NoActiveDesktop](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktop) -- [ADMX_Desktop/NoActiveDesktopChanges](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktopchanges) -- [ADMX_Desktop/NoDesktop](./policy-csp-admx-desktop.md#admx-desktop-nodesktop) -- [ADMX_Desktop/NoDesktopCleanupWizard](./policy-csp-admx-desktop.md#admx-desktop-nodesktopcleanupwizard) -- [ADMX_Desktop/NoInternetIcon](./policy-csp-admx-desktop.md#admx-desktop-nointerneticon) -- [ADMX_Desktop/NoMyComputerIcon](./policy-csp-admx-desktop.md#admx-desktop-nomycomputericon) -- [ADMX_Desktop/NoMyDocumentsIcon](./policy-csp-admx-desktop.md#admx-desktop-nomydocumentsicon) -- [ADMX_Desktop/NoNetHood](./policy-csp-admx-desktop.md#admx-desktop-nonethood) -- [ADMX_Desktop/NoPropertiesMyComputer](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmycomputer) -- [ADMX_Desktop/NoPropertiesMyDocuments](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmydocuments) -- [ADMX_Desktop/NoRecentDocsNetHood](./policy-csp-admx-desktop.md#admx-desktop-norecentdocsnethood) -- [ADMX_Desktop/NoRecycleBinIcon](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinicon) -- [ADMX_Desktop/NoRecycleBinProperties](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinproperties) -- [ADMX_Desktop/NoSaveSettings](./policy-csp-admx-desktop.md#admx-desktop-nosavesettings) -- [ADMX_Desktop/NoWindowMinimizingShortcuts](./policy-csp-admx-desktop.md#admx-desktop-nowindowminimizingshortcuts) -- [ADMX_Desktop/Wallpaper](./policy-csp-admx-desktop.md#admx-desktop-wallpaper) -- [ADMX_Desktop/sz_ATC_DisableAdd](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableadd) -- [ADMX_Desktop/sz_ATC_DisableClose](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableclose) -- [ADMX_Desktop/sz_ATC_DisableDel](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disabledel) -- [ADMX_Desktop/sz_ATC_DisableEdit](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableedit) -- [ADMX_Desktop/sz_ATC_NoComponents](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-nocomponents) -- [ADMX_Desktop/sz_AdminComponents_Title](./policy-csp-admx-desktop.md#admx-desktop-sz-admincomponents-title) -- [ADMX_Desktop/sz_DB_DragDropClose](./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose) -- [ADMX_Desktop/sz_DB_Moving](./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving) -- [ADMX_Desktop/sz_DWP_NoHTMLPaper](./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper) -- [ADMX_DeviceCompat/DeviceFlags](./policy-csp-admx-devicecompat.md#admx-devicecompat-deviceflags) -- [ADMX_DeviceCompat/DriverShims](./policy-csp-admx-devicecompat.md#admx-devicecompat-drivershims) -- [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall) -- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext) -- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext) -- [ADMX_DeviceInstallation/DeviceInstall_InstallTimeout](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-installtimeout) -- [ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime) -- [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny) -- [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore) -- [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser) -- [ADMX_DeviceGuard/ConfigCIPolicy](./policy-csp-admx-deviceguard.md#admx-deviceguard-configcipolicy) -- [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips) -- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) -- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) -- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) -- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy) -- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy) -- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy) -- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia) -- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable) -- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce) -- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit) -- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold) -- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit) -- [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode) -- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) -- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname) -- [ADMX_DnsClient/DNS_Domain](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domain) -- [ADMX_DnsClient/DNS_DomainNameDevolutionLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domainnamedevolutionlevel) -- [ADMX_DnsClient/DNS_IdnEncoding](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnencoding) -- [ADMX_DnsClient/DNS_IdnMapping](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnmapping) -- [ADMX_DnsClient/DNS_NameServer](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-nameserver) -- [ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-preferlocalresponsesoverlowerorderdns) -- [ADMX_DnsClient/DNS_PrimaryDnsSuffix](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-primarydnssuffix) -- [ADMX_DnsClient/DNS_RegisterAdapterName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registeradaptername) -- [ADMX_DnsClient/DNS_RegisterReverseLookup](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registerreverselookup) -- [ADMX_DnsClient/DNS_RegistrationEnabled](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationenabled) -- [ADMX_DnsClient/DNS_RegistrationOverwritesInConflict](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationoverwritesinconflict) -- [ADMX_DnsClient/DNS_RegistrationRefreshInterval](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationrefreshinterval) -- [ADMX_DnsClient/DNS_RegistrationTtl](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationttl) -- [ADMX_DnsClient/DNS_SearchList](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-searchlist) -- [ADMX_DnsClient/DNS_SmartMultiHomedNameResolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartmultihomednameresolution) -- [ADMX_DnsClient/DNS_SmartProtocolReorder](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartprotocolreorder) -- [ADMX_DnsClient/DNS_UpdateSecurityLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatesecuritylevel) -- [ADMX_DnsClient/DNS_UpdateTopLevelDomainZones](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones) -- [ADMX_DnsClient/DNS_UseDomainNameDevolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution) -- [ADMX_DnsClient/Turn_Off_Multicast](./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast) -- [ADMX_DFS/DFSDiscoverDC](./policy-csp-admx-dfs.md#admx-dfs-dfsdiscoverdc) -- [ADMX_DWM/DwmDefaultColorizationColor_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-1) -- [ADMX_DWM/DwmDefaultColorizationColor_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-2) -- [ADMX_DWM/DwmDisallowAnimations_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-1) -- [ADMX_DWM/DwmDisallowAnimations_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-2) -- [ADMX_DWM/DwmDisallowColorizationColorChanges_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-1) -- [ADMX_DWM/DwmDisallowColorizationColorChanges_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-2) -- [ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](./policy-csp-admx-eaime.md#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist) -- [ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion](./policy-csp-admx-eaime.md#admx-eaime-l-restrictcharactercoderangeofconversion) -- [ADMX_EAIME/L_TurnOffCustomDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffcustomdictionary) -- [ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffhistorybasedpredictiveinput) -- [ADMX_EAIME/L_TurnOffInternetSearchIntegration](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffinternetsearchintegration) -- [ADMX_EAIME/L_TurnOffOpenExtendedDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffopenextendeddictionary) -- [ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffsavingautotuningdatatofile) -- [ADMX_EAIME/L_TurnOnCloudCandidate](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidate) -- [ADMX_EAIME/L_TurnOnCloudCandidateCHS](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidatechs) -- [ADMX_EAIME/L_TurnOnLexiconUpdate](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate) -- [ADMX_EAIME/L_TurnOnLiveStickers](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers) -- [ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport](./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport) -- [ADMX_EventLogging/EnableProtectedEventLogging](./policy-csp-admx-eventlogging.md#admx-eventlogging-enableprotectedeventlogging) -- [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove) -- [ADMX_EnhancedStorage/ApprovedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices) -- [ADMX_EnhancedStorage/ApprovedSilos](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos) -- [ADMX_EnhancedStorage/DisablePasswordAuthentication](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disablepasswordauthentication) -- [ADMX_EnhancedStorage/DisallowLegacyDiskDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disallowlegacydiskdevices) -- [ADMX_EnhancedStorage/LockDeviceOnMachineLock](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-lockdeviceonmachinelock) -- [ADMX_EnhancedStorage/RootHubConnectedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-roothubconnectedenstordevices) -- [ADMX_ErrorReporting/PCH_AllOrNoneDef](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornonedef) -- [ADMX_ErrorReporting/PCH_AllOrNoneEx](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneex) -- [ADMX_ErrorReporting/PCH_AllOrNoneInc](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneinc) -- [ADMX_ErrorReporting/PCH_ConfigureReport](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-configurereport) -- [ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-reportoperatingsystemfaults) -- [ADMX_ErrorReporting/WerArchive_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-1) -- [ADMX_ErrorReporting/WerArchive_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-2) -- [ADMX_ErrorReporting/WerAutoApproveOSDumps_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-1) -- [ADMX_ErrorReporting/WerAutoApproveOSDumps_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-2) -- [ADMX_ErrorReporting/WerBypassDataThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-1) -- [ADMX_ErrorReporting/WerBypassDataThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-2) -- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-1) -- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-2) -- [ADMX_ErrorReporting/WerBypassPowerThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-1) -- [ADMX_ErrorReporting/WerBypassPowerThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-2) -- [ADMX_ErrorReporting/WerCER](./policy-csp-admx-errorreporting.md#admx-errorreporting-wercer) -- [ADMX_ErrorReporting/WerConsentCustomize_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentcustomize-1) -- [ADMX_ErrorReporting/WerConsentOverride_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-1) -- [ADMX_ErrorReporting/WerConsentOverride_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-2) -- [ADMX_ErrorReporting/WerDefaultConsent_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-1) -- [ADMX_ErrorReporting/WerDefaultConsent_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-2) -- [ADMX_ErrorReporting/WerDisable_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdisable-1) -- [ADMX_ErrorReporting/WerExlusion_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-1) -- [ADMX_ErrorReporting/WerExlusion_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-2) -- [ADMX_ErrorReporting/WerNoLogging_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-1) -- [ADMX_ErrorReporting/WerNoLogging_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-2) -- [ADMX_ErrorReporting/WerNoSecondLevelData_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernosecondleveldata-1) -- [ADMX_ErrorReporting/WerQueue_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-1) -- [ADMX_ErrorReporting/WerQueue_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-2) -- [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage) -- [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager) -- [ADMX_EventLog/Channel_LogEnabled](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logenabled) -- [ADMX_EventLog/Channel_LogFilePath_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-1) -- [ADMX_EventLog/Channel_LogFilePath_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-2) -- [ADMX_EventLog/Channel_LogFilePath_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-3) -- [ADMX_EventLog/Channel_LogFilePath_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-4) -- [ADMX_EventLog/Channel_LogMaxSize_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logmaxsize-3) -- [ADMX_EventLog/Channel_Log_AutoBackup_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-1) -- [ADMX_EventLog/Channel_Log_AutoBackup_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-2) -- [ADMX_EventLog/Channel_Log_AutoBackup_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-3) -- [ADMX_EventLog/Channel_Log_AutoBackup_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-4) -- [ADMX_EventLog/Channel_Log_FileLogAccess_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-1) -- [ADMX_EventLog/Channel_Log_FileLogAccess_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-2) -- [ADMX_EventLog/Channel_Log_FileLogAccess_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-3) -- [ADMX_EventLog/Channel_Log_FileLogAccess_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-4) -- [ADMX_EventLog/Channel_Log_FileLogAccess_5](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-5) -- [ADMX_EventLog/Channel_Log_FileLogAccess_6](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-6) -- [ADMX_EventLog/Channel_Log_FileLogAccess_7](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-7) -- [ADMX_EventLog/Channel_Log_FileLogAccess_8](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-8) -- [ADMX_EventLog/Channel_Log_Retention_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2) -- [ADMX_EventLog/Channel_Log_Retention_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3) -- [ADMX_EventLog/Channel_Log_Retention_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4) -- [ADMX_EventViewer/EventViewer_RedirectionProgram](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogram) -- [ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters) -- [ADMX_EventViewer/EventViewer_RedirectionURL](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionurl) -- [ADMX_Explorer/AdminInfoUrl](./policy-csp-admx-explorer.md#admx-explorer-admininfourl) -- [ADMX_Explorer/AlwaysShowClassicMenu](./policy-csp-admx-explorer.md#admx-explorer-alwaysshowclassicmenu) -- [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit) -- [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder) -- [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations) -- [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate) -- [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep) -- [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher) -- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) -- [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) -- [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) -- [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification) -- [ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption) -- [ADMX_FileSys/EnablePagefileEncryption](./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption) -- [ADMX_FileSys/LongPathsEnabled](./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled) -- [ADMX_FileSys/ShortNameCreationSettings](./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings) -- [ADMX_FileSys/SymlinkEvaluation](./policy-csp-admx-filesys.md#admx-filesys-symlinkevaluation) -- [ADMX_FileSys/TxfDeprecatedFunctionality](./policy-csp-admx-filesys.md#admx-filesys-txfdeprecatedfunctionality) -- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) -- [ADMX_FileRevocation/DelegatedPackageFamilyNames](./policy-csp-admx-filerevocation.md#admx-filerevocation-delegatedpackagefamilynames) -- [ADMX_FolderRedirection/DisableFRAdminPin](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpin) -- [ADMX_FolderRedirection/DisableFRAdminPinByFolder](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpinbyfolder) -- [ADMX_FolderRedirection/FolderRedirectionEnableCacheRename](./policy-csp-admx-folderredirection.md#admx-folderredirection-folderredirectionenablecacherename) -- [ADMX_FolderRedirection/LocalizeXPRelativePaths_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-1) -- [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2) -- [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1) -- [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) -- [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane) -- [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane) -- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy) -- [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) -- [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) -- [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) -- [ADMX_Globalization/HideAdminOptions](./policy-csp-admx-globalization.md#admx-globalization-hideadminoptions) -- [ADMX_Globalization/HideCurrentLocation](./policy-csp-admx-globalization.md#admx-globalization-hidecurrentlocation) -- [ADMX_Globalization/HideLanguageSelection](./policy-csp-admx-globalization.md#admx-globalization-hidelanguageselection) -- [ADMX_Globalization/HideLocaleSelectAndCustomize](./policy-csp-admx-globalization.md#admx-globalization-hidelocaleselectandcustomize) -- [ADMX_Globalization/ImplicitDataCollectionOff_1](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-1) -- [ADMX_Globalization/ImplicitDataCollectionOff_2](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-2) -- [ADMX_Globalization/LocaleSystemRestrict](./policy-csp-admx-globalization.md#admx-globalization-localesystemrestrict) -- [ADMX_Globalization/LocaleUserRestrict_1](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-1) -- [ADMX_Globalization/LocaleUserRestrict_2](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-2) -- [ADMX_Globalization/LockMachineUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockmachineuilanguage) -- [ADMX_Globalization/LockUserUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockuseruilanguage) -- [ADMX_Globalization/PreventGeoIdChange_1](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-1) -- [ADMX_Globalization/PreventGeoIdChange_2](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-2) -- [ADMX_Globalization/PreventUserOverrides_1](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-1) -- [ADMX_Globalization/PreventUserOverrides_2](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-2) -- [ADMX_Globalization/RestrictUILangSelect](./policy-csp-admx-globalization.md#admx-globalization-restrictuilangselect) -- [ADMX_Globalization/TurnOffAutocorrectMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffautocorrectmisspelledwords) -- [ADMX_Globalization/TurnOffHighlightMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffhighlightmisspelledwords) -- [ADMX_Globalization/TurnOffInsertSpace](./policy-csp-admx-globalization.md#admx-globalization-turnoffinsertspace) -- [ADMX_Globalization/TurnOffOfferTextPredictions](./policy-csp-admx-globalization.md#admx-globalization-turnoffoffertextpredictions) -- [ADMX_Globalization/Y2K](./policy-csp-admx-globalization.md#admx-globalization-y2k) -- [ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-allowx-forestpolicy-and-rup) -- [ADMX_GroupPolicy/CSE_AppMgmt](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-appmgmt) -- [ADMX_GroupPolicy/CSE_DiskQuota](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-diskquota) -- [ADMX_GroupPolicy/CSE_EFSRecovery](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-efsrecovery) -- [ADMX_GroupPolicy/CSE_FolderRedirection](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-folderredirection) -- [ADMX_GroupPolicy/CSE_IEM](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-iem) -- [ADMX_GroupPolicy/CSE_IPSecurity](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-ipsecurity) -- [ADMX_GroupPolicy/CSE_Registry](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-registry) -- [ADMX_GroupPolicy/CSE_Scripts](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-scripts) -- [ADMX_GroupPolicy/CSE_Security](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-security) -- [ADMX_GroupPolicy/CSE_Wired](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wired) -- [ADMX_GroupPolicy/CSE_Wireless](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wireless) -- [ADMX_GroupPolicy/CorpConnSyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-corpconnsyncwaittime) -- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-1) -- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-2) -- [ADMX_GroupPolicy/DisableAOACProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableaoacprocessing) -- [ADMX_GroupPolicy/DisableAutoADMUpdate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableautoadmupdate) -- [ADMX_GroupPolicy/DisableBackgroundPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablebackgroundpolicy) -- [ADMX_GroupPolicy/DisableLGPOProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablelgpoprocessing) -- [ADMX_GroupPolicy/DisableUsersFromMachGP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableusersfrommachgp) -- [ADMX_GroupPolicy/EnableCDP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablecdp) -- [ADMX_GroupPolicy/EnableLogonOptimization](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimization) -- [ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimizationonserversku) -- [ADMX_GroupPolicy/EnableMMX](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablemmx) -- [ADMX_GroupPolicy/EnforcePoliciesOnly](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enforcepoliciesonly) -- [ADMX_GroupPolicy/FontMitigation](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-fontmitigation) -- [ADMX_GroupPolicy/GPDCOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gpdcoptions) -- [ADMX_GroupPolicy/GPTransferRate_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-1) -- [ADMX_GroupPolicy/GPTransferRate_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-2) -- [ADMX_GroupPolicy/GroupPolicyRefreshRate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrate) -- [ADMX_GroupPolicy/GroupPolicyRefreshRateDC](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshratedc) -- [ADMX_GroupPolicy/GroupPolicyRefreshRateUser](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrateuser) -- [ADMX_GroupPolicy/LogonScriptDelay](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-logonscriptdelay) -- [ADMX_GroupPolicy/NewGPODisplayName](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpodisplayname) -- [ADMX_GroupPolicy/NewGPOLinksDisabled](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpolinksdisabled) -- [ADMX_GroupPolicy/OnlyUseLocalAdminFiles](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-onlyuselocaladminfiles) -- [ADMX_GroupPolicy/ProcessMitigationOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-processmitigationoptions) -- [ADMX_GroupPolicy/RSoPLogging](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-rsoplogging) -- [ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-resetdfsclientinfoduringrefreshpolicy) -- [ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaultfordirectaccess) -- [ADMX_GroupPolicy/SlowlinkDefaultToAsync](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaulttoasync) -- [ADMX_GroupPolicy/SyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-syncwaittime) -- [ADMX_GroupPolicy/UserPolicyMode](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-userpolicymode) -- [ADMX_Help/DisableHHDEP](./policy-csp-admx-help.md#admx-help-disablehhdep) -- [ADMX_Help/HelpQualifiedRootDir_Comp](./policy-csp-admx-help.md#admx-help-helpqualifiedrootdir-comp) -- [ADMX_Help/RestrictRunFromHelp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp) -- [ADMX_Help/RestrictRunFromHelp_Comp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp-comp) -- [ADMX_HelpAndSupport/ActiveHelp](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-activehelp) -- [ADMX_HelpAndSupport/HPExplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpexplicitfeedback) -- [ADMX_HelpAndSupport/HPImplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpimplicitfeedback) -- [ADMX_HelpAndSupport/HPOnlineAssistance](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hponlineassistance) -- [ADMX_ICM/CEIPEnable](./policy-csp-admx-icm.md#admx-icm-ceipenable) -- [ADMX_ICM/CertMgr_DisableAutoRootUpdates](./policy-csp-admx-icm.md#admx-icm-certmgr-disableautorootupdates) -- [ADMX_ICM/DisableHTTPPrinting_1](./policy-csp-admx-icm.md#admx-icm-disablehttpprinting-1) -- [ADMX_ICM/DisableWebPnPDownload_1](./policy-csp-admx-icm.md#admx-icm-disablewebpnpdownload-1) -- [ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate](./policy-csp-admx-icm.md#admx-icm-driversearchplaces-dontsearchwindowsupdate) -- [ADMX_ICM/EventViewer_DisableLinks](./policy-csp-admx-icm.md#admx-icm-eventviewer-disablelinks) -- [ADMX_ICM/HSS_HeadlinesPolicy](./policy-csp-admx-icm.md#admx-icm-hss-headlinespolicy) -- [ADMX_ICM/HSS_KBSearchPolicy](./policy-csp-admx-icm.md#admx-icm-hss-kbsearchpolicy) -- [ADMX_ICM/InternetManagement_RestrictCommunication_1](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-1) -- [ADMX_ICM/InternetManagement_RestrictCommunication_2](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-2) -- [ADMX_ICM/NC_ExitOnISP](./policy-csp-admx-icm.md#admx-icm-nc-exitonisp) -- [ADMX_ICM/NC_NoRegistration](./policy-csp-admx-icm.md#admx-icm-nc-noregistration) -- [ADMX_ICM/PCH_DoNotReport](./policy-csp-admx-icm.md#admx-icm-pch-donotreport) -- [ADMX_ICM/RemoveWindowsUpdate_ICM](./policy-csp-admx-icm.md#admx-icm-removewindowsupdate-icm) -- [ADMX_ICM/SearchCompanion_DisableFileUpdates](./policy-csp-admx-icm.md#admx-icm-searchcompanion-disablefileupdates) -- [ADMX_ICM/ShellNoUseInternetOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-1) -- [ADMX_ICM/ShellNoUseInternetOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-2) -- [ADMX_ICM/ShellNoUseStoreOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-1) -- [ADMX_ICM/ShellNoUseStoreOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-2) -- [ADMX_ICM/ShellPreventWPWDownload_1](./policy-csp-admx-icm.md#admx-icm-shellpreventwpwdownload-1) -- [ADMX_ICM/ShellRemoveOrderPrints_1](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-1) -- [ADMX_ICM/ShellRemoveOrderPrints_2](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-2) -- [ADMX_ICM/ShellRemovePublishToWeb_1](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-1) -- [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2) -- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) -- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) -- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall) -- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins) -- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname) -- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret) -- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) -- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) -- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) -- [ADMX_kdc/RequestCompoundId](./policy-csp-admx-kdc.md#admx-kdc-requestcompoundid) -- [ADMX_kdc/TicketSizeThreshold](./policy-csp-admx-kdc.md#admx-kdc-ticketsizethreshold) -- [ADMX_kdc/emitlili](./policy-csp-admx-kdc.md#admx-kdc-emitlili) -- [ADMX_Kerberos/AlwaysSendCompoundId](./policy-csp-admx-kerberos.md#admx-kerberos-alwayssendcompoundid) -- [ADMX_Kerberos/DevicePKInitEnabled](./policy-csp-admx-kerberos.md#admx-kerberos-devicepkinitenabled) -- [ADMX_Kerberos/HostToRealm](./policy-csp-admx-kerberos.md#admx-kerberos-hosttorealm) -- [ADMX_Kerberos/KdcProxyDisableServerRevocationCheck](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxydisableserverrevocationcheck) -- [ADMX_Kerberos/KdcProxyServer](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxyserver) -- [ADMX_Kerberos/MitRealms](./policy-csp-admx-kerberos.md#admx-kerberos-mitrealms) -- [ADMX_Kerberos/ServerAcceptsCompound](./policy-csp-admx-kerberos.md#admx-kerberos-serveracceptscompound) -- [ADMX_Kerberos/StrictTarget](./policy-csp-admx-kerberos.md#admx-kerberos-stricttarget) -- [ADMX_LanmanServer/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-ciphersuiteorder) -- [ADMX_LanmanServer/Pol_HashPublication](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashpublication) -- [ADMX_LanmanServer/Pol_HashSupportVersion](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashsupportversion) -- [ADMX_LanmanServer/Pol_HonorCipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-honorciphersuiteorder) -- [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder) -- [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles) -- [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares) -- [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy) -- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) -- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) -- [ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1](./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1) -- [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) -- [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon) -- [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1) -- [ADMX_Logon/DisableExplorerRunLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-2) -- [ADMX_Logon/DisableExplorerRunOnceLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-1) -- [ADMX_Logon/DisableExplorerRunOnceLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-2) -- [ADMX_Logon/DisableStatusMessages](./policy-csp-admx-logon.md#admx-logon-disablestatusmessages) -- [ADMX_Logon/DontEnumerateConnectedUsers](./policy-csp-admx-logon.md#admx-logon-dontenumerateconnectedusers) -- [ADMX_Logon/NoWelcomeTips_1](./policy-csp-admx-logon.md#admx-logon-nowelcometips-1) -- [ADMX_Logon/NoWelcomeTips_2](./policy-csp-admx-logon.md#admx-logon-nowelcometips-2) -- [ADMX_Logon/Run_1](./policy-csp-admx-logon.md#admx-logon-run-1) -- [ADMX_Logon/Run_2](./policy-csp-admx-logon.md#admx-logon-run-2) -- [ADMX_Logon/SyncForegroundPolicy](./policy-csp-admx-logon.md#admx-logon-syncforegroundpolicy) -- [ADMX_Logon/UseOEMBackground](./policy-csp-admx-logon.md#admx-logon-useoembackground) -- [ADMX_Logon/VerboseStatus](./policy-csp-admx-logon.md#admx-logon-verbosestatus) -- [ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-allowfastservicestartup) -- [ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableantispywaredefender) -- [ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableautoexclusions) -- [ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableblockatfirstseen) -- [ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablelocaladminmerge) -- [ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablerealtimemonitoring) -- [ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableroutinelytakingaction) -- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-extensions) -- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-paths) -- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-processes) -- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions) -- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-rules) -- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications) -- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders) -- [ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation) -- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement) -- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid) -- [ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-disableprotocolrecognition) -- [ADMX_MicrosoftDefenderAntivirus/ProxyBypass](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxybypass) -- [ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxypacurl) -- [ADMX_MicrosoftDefenderAntivirus/ProxyServer](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxyserver) -- [ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay) -- [ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay) -- [ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-randomizescheduletasktimes) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection) -- [ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime) -- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduleday) -- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduletime) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-additionalactiontimeout) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disableenhancednotifications) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disablegenericreports) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-noncriticaltimeout) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracingcomponents) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracinglevel) -- [ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-allowpause) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxdepth) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxsize) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablearchivescanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableemailscanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableheuristics) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablepackedexescanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablereparsepointscanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablerestorepoint) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-lowcpupriority) -- [ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup) -- [ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay) -- [ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-quickscaninterval) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scanonlyifidle) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduleday) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduletime) -- [ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-servicekeepalive) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-assignaturedue) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-fallbackorder) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduleday) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduletime) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-updateonstartup) -- [ADMX_MicrosoftDefenderAntivirus/SpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynetreporting) -- [ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting) -- [ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-threats-threatiddefaultaction) -- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring) -- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-notification-suppress) -- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification) -- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-uilockdown) -- [ADMX_MMC/MMC_ActiveXControl](./policy-csp-admx-mmc.md#admx-mmc-mmc-activexcontrol) -- [ADMX_MMC/MMC_ExtendView](./policy-csp-admx-mmc.md#admx-mmc-mmc-extendview) -- [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb) -- [ADMX_MMC/MMC_Restrict_Author](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-author) -- [ADMX_MMC/MMC_Restrict_To_Permitted_Snapins](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-to-permitted-snapins) -- [ADMX_MMCSnapins/MMC_ADMComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-1) -- [ADMX_MMCSnapins/MMC_ADMComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-2) -- [ADMX_MMCSnapins/MMC_ADMUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-1) -- [ADMX_MMCSnapins/MMC_ADMUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-2) -- [ADMX_MMCSnapins/MMC_ADSI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-adsi) -- [ADMX_MMCSnapins/MMC_ActiveDirDomTrusts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirdomtrusts) -- [ADMX_MMCSnapins/MMC_ActiveDirSitesServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirsitesservices) -- [ADMX_MMCSnapins/MMC_ActiveDirUsersComp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activediruserscomp) -- [ADMX_MMCSnapins/MMC_AppleTalkRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-appletalkrouting) -- [ADMX_MMCSnapins/MMC_AuthMan](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-authman) -- [ADMX_MMCSnapins/MMC_CertAuth](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauth) -- [ADMX_MMCSnapins/MMC_CertAuthPolSet](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauthpolset) -- [ADMX_MMCSnapins/MMC_Certs](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certs) -- [ADMX_MMCSnapins/MMC_CertsTemplate](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certstemplate) -- [ADMX_MMCSnapins/MMC_ComponentServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-componentservices) -- [ADMX_MMCSnapins/MMC_ComputerManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-computermanagement) -- [ADMX_MMCSnapins/MMC_ConnectionSharingNAT](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-connectionsharingnat) -- [ADMX_MMCSnapins/MMC_DCOMCFG](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dcomcfg) -- [ADMX_MMCSnapins/MMC_DFS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dfs) -- [ADMX_MMCSnapins/MMC_DHCPRelayMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dhcprelaymgmt) -- [ADMX_MMCSnapins/MMC_DeviceManager_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-1) -- [ADMX_MMCSnapins/MMC_DeviceManager_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-2) -- [ADMX_MMCSnapins/MMC_DiskDefrag](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskdefrag) -- [ADMX_MMCSnapins/MMC_DiskMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskmgmt) -- [ADMX_MMCSnapins/MMC_EnterprisePKI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-enterprisepki) -- [ADMX_MMCSnapins/MMC_EventViewer_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-1) -- [ADMX_MMCSnapins/MMC_EventViewer_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-2) -- [ADMX_MMCSnapins/MMC_EventViewer_3](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-3) -- [ADMX_MMCSnapins/MMC_EventViewer_4](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-4) -- [ADMX_MMCSnapins/MMC_FAXService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-faxservice) -- [ADMX_MMCSnapins/MMC_FailoverClusters](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-failoverclusters) -- [ADMX_MMCSnapins/MMC_FolderRedirection_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-1) -- [ADMX_MMCSnapins/MMC_FolderRedirection_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-2) -- [ADMX_MMCSnapins/MMC_FrontPageExt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-frontpageext) -- [ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicymanagementsnapin) -- [ADMX_MMCSnapins/MMC_GroupPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicysnapin) -- [ADMX_MMCSnapins/MMC_GroupPolicyTab](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicytab) -- [ADMX_MMCSnapins/MMC_HRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-hra) -- [ADMX_MMCSnapins/MMC_IAS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ias) -- [ADMX_MMCSnapins/MMC_IASLogging](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iaslogging) -- [ADMX_MMCSnapins/MMC_IEMaintenance_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-1) -- [ADMX_MMCSnapins/MMC_IEMaintenance_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-2) -- [ADMX_MMCSnapins/MMC_IGMPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-igmprouting) -- [ADMX_MMCSnapins/MMC_IIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iis) -- [ADMX_MMCSnapins/MMC_IPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iprouting) -- [ADMX_MMCSnapins/MMC_IPSecManage_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage-gp) -- [ADMX_MMCSnapins/MMC_IPXRIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxriprouting) -- [ADMX_MMCSnapins/MMC_IPXRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxrouting) -- [ADMX_MMCSnapins/MMC_IPXSAPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxsaprouting) -- [ADMX_MMCSnapins/MMC_IndexingService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-indexingservice) -- [ADMX_MMCSnapins/MMC_IpSecManage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage) -- [ADMX_MMCSnapins/MMC_IpSecMonitor](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmonitor) -- [ADMX_MMCSnapins/MMC_LocalUsersGroups](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-localusersgroups) -- [ADMX_MMCSnapins/MMC_LogicalMappedDrives](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-logicalmappeddrives) -- [ADMX_MMCSnapins/MMC_NPSUI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-npsui) -- [ADMX_MMCSnapins/MMC_NapSnap](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap) -- [ADMX_MMCSnapins/MMC_NapSnap_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap-gp) -- [ADMX_MMCSnapins/MMC_Net_Framework](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-net-framework) -- [ADMX_MMCSnapins/MMC_OCSP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ocsp) -- [ADMX_MMCSnapins/MMC_OSPFRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ospfrouting) -- [ADMX_MMCSnapins/MMC_PerfLogsAlerts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-perflogsalerts) -- [ADMX_MMCSnapins/MMC_PublicKey](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-publickey) -- [ADMX_MMCSnapins/MMC_QoSAdmission](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-qosadmission) -- [ADMX_MMCSnapins/MMC_RAS_DialinUser](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ras-dialinuser) -- [ADMX_MMCSnapins/MMC_RIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-riprouting) -- [ADMX_MMCSnapins/MMC_RIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ris) -- [ADMX_MMCSnapins/MMC_RRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rra) -- [ADMX_MMCSnapins/MMC_RSM](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rsm) -- [ADMX_MMCSnapins/MMC_RemStore](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remstore) -- [ADMX_MMCSnapins/MMC_RemoteAccess](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remoteaccess) -- [ADMX_MMCSnapins/MMC_RemoteDesktop](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remotedesktop) -- [ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-resultantsetofpolicysnapin) -- [ADMX_MMCSnapins/MMC_Routing](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-routing) -- [ADMX_MMCSnapins/MMC_SCA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sca) -- [ADMX_MMCSnapins/MMC_SMTPProtocol](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-smtpprotocol) -- [ADMX_MMCSnapins/MMC_SNMP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-snmp) -- [ADMX_MMCSnapins/MMC_ScriptsMachine_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-1) -- [ADMX_MMCSnapins/MMC_ScriptsMachine_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-2) -- [ADMX_MMCSnapins/MMC_ScriptsUser_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-1) -- [ADMX_MMCSnapins/MMC_ScriptsUser_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-2) -- [ADMX_MMCSnapins/MMC_SecuritySettings_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-1) -- [ADMX_MMCSnapins/MMC_SecuritySettings_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-2) -- [ADMX_MMCSnapins/MMC_SecurityTemplates](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitytemplates) -- [ADMX_MMCSnapins/MMC_SendConsoleMessage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sendconsolemessage) -- [ADMX_MMCSnapins/MMC_ServerManager](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servermanager) -- [ADMX_MMCSnapins/MMC_ServiceDependencies](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servicedependencies) -- [ADMX_MMCSnapins/MMC_Services](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-services) -- [ADMX_MMCSnapins/MMC_SharedFolders](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders) -- [ADMX_MMCSnapins/MMC_SharedFolders_Ext](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders-ext) -- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-1) -- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-2) -- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-1) -- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-2) -- [ADMX_MMCSnapins/MMC_SysInfo](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysinfo) -- [ADMX_MMCSnapins/MMC_SysProp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysprop) -- [ADMX_MMCSnapins/MMC_TPMManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-tpmmanagement) -- [ADMX_MMCSnapins/MMC_Telephony](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-telephony) -- [ADMX_MMCSnapins/MMC_TerminalServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-terminalservices) -- [ADMX_MMCSnapins/MMC_WMI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wmi) -- [ADMX_MMCSnapins/MMC_WindowsFirewall](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall) -- [ADMX_MMCSnapins/MMC_WindowsFirewall_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall-gp) -- [ADMX_MMCSnapins/MMC_WiredNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirednetworkpolicy) -- [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon) -- [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy) -- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_1) -- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_2) -- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_1) -- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_2) -- [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth) -- [ADMX_msched/ActivationBoundaryPolicy](./policy-csp-admx-msched.md#admx-msched-activationboundarypolicy) -- [ADMX_msched/RandomDelayPolicy](./policy-csp-admx-msched.md#admx-msched-randomdelaypolicy) -- [ADMX_MSDT/MsdtSupportProvider](./policy-csp-admx-msdt.md#admx-msdt-msdtsupportprovider) -- [ADMX_MSDT/MsdtToolDownloadPolicy](./policy-csp-admx-msdt.md#admx-msdt-msdttooldownloadpolicy) -- [ADMX_MSDT/WdiScenarioExecutionPolicy](./policy-csp-admx-msdt.md#admx-msdt-wdiscenarioexecutionpolicy) -- [ADMX_MSI/AllowLockdownBrowse](./policy-csp-admx-msi.md#admx-msi-allowlockdownbrowse) -- [ADMX_MSI/AllowLockdownMedia](./policy-csp-admx-msi.md#admx-msi-allowlockdownmedia) -- [ADMX_MSI/AllowLockdownPatch](./policy-csp-admx-msi.md#admx-msi-allowlockdownpatch) -- [ADMX_MSI/DisableAutomaticApplicationShutdown](./policy-csp-admx-msi.md#admx-msi-disableautomaticapplicationshutdown) -- [ADMX_MSI/DisableBrowse](./policy-csp-admx-msi.md#admx-msi-disablebrowse) -- [ADMX_MSI/DisableFlyweightPatching](./policy-csp-admx-msi.md#admx-msi-disableflyweightpatching) -- [ADMX_MSI/DisableLoggingFromPackage](./policy-csp-admx-msi.md#admx-msi-disableloggingfrompackage) -- [ADMX_MSI/DisableMSI](./policy-csp-admx-msi.md#admx-msi-disablemsi) -- [ADMX_MSI/DisableMedia](./policy-csp-admx-msi.md#admx-msi-disablemedia) -- [ADMX_MSI/DisablePatch](./policy-csp-admx-msi.md#admx-msi-disablepatch) -- [ADMX_MSI/DisableRollback_1](./policy-csp-admx-msi.md#admx-msi-disablerollback-1) -- [ADMX_MSI/DisableRollback_2](./policy-csp-admx-msi.md#admx-msi-disablerollback-2) -- [ADMX_MSI/DisableSharedComponent](./policy-csp-admx-msi.md#admx-msi-disablesharedcomponent) -- [ADMX_MSI/MSILogging](./policy-csp-admx-msi.md#admx-msi-msilogging) -- [ADMX_MSI/MSI_DisableLUAPatching](./policy-csp-admx-msi.md#admx-msi-msi-disableluapatching) -- [ADMX_MSI/MSI_DisablePatchUninstall](./policy-csp-admx-msi.md#admx-msi-msi-disablepatchuninstall) -- [ADMX_MSI/MSI_DisableSRCheckPoints](./policy-csp-admx-msi.md#admx-msi-msi-disablesrcheckpoints) -- [ADMX_MSI/MSI_DisableUserInstalls](./policy-csp-admx-msi.md#admx-msi-msi-disableuserinstalls) -- [ADMX_MSI/MSI_EnforceUpgradeComponentRules](./policy-csp-admx-msi.md#admx-msi-msi-enforceupgradecomponentrules) -- [ADMX_MSI/MSI_MaxPatchCacheSize](./policy-csp-admx-msi.md#admx-msi-msi-maxpatchcachesize) -- [ADMX_MSI/MsiDisableEmbeddedUI](./policy-csp-admx-msi.md#admx-msi-msidisableembeddedui) -- [ADMX_MSI/SafeForScripting](./policy-csp-admx-msi.md#admx-msi-safeforscripting) -- [ADMX_MSI/SearchOrder](./policy-csp-admx-msi.md#admx-msi-searchorder) -- [ADMX_MSI/TransformsSecure](./policy-csp-admx-msi.md#admx-msi-transformssecure) -- [ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-msifilerecovery.md#admx-msifilerecovery-wdiscenarioexecutionpolicy) -- [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources) -- [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands) -- [ADMX_nca/DTEs](./policy-csp-admx-nca.md#admx-nca-dtes) -- [ADMX_nca/FriendlyName](./policy-csp-admx-nca.md#admx-nca-friendlyname) -- [ADMX_nca/LocalNamesOn](./policy-csp-admx-nca.md#admx-nca-localnameson) -- [ADMX_nca/PassiveMode](./policy-csp-admx-nca.md#admx-nca-passivemode) -- [ADMX_nca/ShowUI](./policy-csp-admx-nca.md#admx-nca-showui) -- [ADMX_nca/SupportEmail](./policy-csp-admx-nca.md#admx-nca-supportemail) -- [ADMX_NCSI/NCSI_CorpDnsProbeContent](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobecontent) -- [ADMX_NCSI/NCSI_CorpDnsProbeHost](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobehost) -- [ADMX_NCSI/NCSI_CorpSitePrefixes](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpsiteprefixes) -- [ADMX_NCSI/NCSI_CorpWebProbeUrl](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpwebprobeurl) -- [ADMX_NCSI/NCSI_DomainLocationDeterminationUrl](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-domainlocationdeterminationurl) -- [ADMX_NCSI/NCSI_GlobalDns](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-globaldns) -- [ADMX_NCSI/NCSI_PassivePolling](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-passivepolling) -- [ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresslookuponpingbehavior) -- [ADMX_Netlogon/Netlogon_AddressTypeReturned](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresstypereturned) -- [ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowdnssuffixsearch) -- [ADMX_Netlogon/Netlogon_AllowNT4Crypto](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allownt4crypto) -- [ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowsinglelabeldnsdomain) -- [ADMX_Netlogon/Netlogon_AutoSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-autositecoverage) -- [ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidfallbacknetbiosdiscovery) -- [ADMX_Netlogon/Netlogon_AvoidPdcOnWan](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidpdconwan) -- [ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryinitialperiod) -- [ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretrymaximumperiod) -- [ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryquittime) -- [ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundsuccessfulrefreshperiod) -- [ADMX_Netlogon/Netlogon_DebugFlag](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-debugflag) -- [ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsavoidregisterrecords) -- [ADMX_Netlogon/Netlogon_DnsRefreshInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsrefreshinterval) -- [ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnssrvrecorduselowercasehostnames) -- [ADMX_Netlogon/Netlogon_DnsTtl](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsttl) -- [ADMX_Netlogon/Netlogon_ExpectedDialupDelay](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-expecteddialupdelay) -- [ADMX_Netlogon/Netlogon_ForceRediscoveryInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-forcerediscoveryinterval) -- [ADMX_Netlogon/Netlogon_GcSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-gcsitecoverage) -- [ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ignoreincomingmailslotmessages) -- [ADMX_Netlogon/Netlogon_LdapSrvPriority](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvpriority) -- [ADMX_Netlogon/Netlogon_LdapSrvWeight](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvweight) -- [ADMX_Netlogon/Netlogon_MaximumLogFileSize](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-maximumlogfilesize) -- [ADMX_Netlogon/Netlogon_NdncSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ndncsitecoverage) -- [ADMX_Netlogon/Netlogon_NegativeCachePeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-negativecacheperiod) -- [ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-netlogonsharecompatibilitymode) -- [ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-nonbackgroundsuccessfulrefreshperiod) -- [ADMX_Netlogon/Netlogon_PingUrgencyMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-pingurgencymode) -- [ADMX_Netlogon/Netlogon_ScavengeInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-scavengeinterval) -- [ADMX_Netlogon/Netlogon_SiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitecoverage) -- [ADMX_Netlogon/Netlogon_SiteName](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitename) -- [ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode) -- [ADMX_Netlogon/Netlogon_TryNextClosestSite](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite) -- [ADMX_Netlogon/Netlogon_UseDynamicDns](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns) -- [ADMX_NetworkConnections/NC_AddRemoveComponents](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-addremovecomponents) -- [ADMX_NetworkConnections/NC_AdvancedSettings](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-advancedsettings) -- [ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-allowadvancedtcpipconfig) -- [ADMX_NetworkConnections/NC_ChangeBindState](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-changebindstate) -- [ADMX_NetworkConnections/NC_DeleteAllUserConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deletealluserconnection) -- [ADMX_NetworkConnections/NC_DeleteConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deleteconnection) -- [ADMX_NetworkConnections/NC_DialupPrefs](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-dialupprefs) -- [ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-donotshowlocalonlyicon) -- [ADMX_NetworkConnections/NC_EnableAdminProhibits](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-enableadminprohibits) -- [ADMX_NetworkConnections/NC_ForceTunneling](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-forcetunneling) -- [ADMX_NetworkConnections/NC_IpStateChecking](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-ipstatechecking) -- [ADMX_NetworkConnections/NC_LanChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanchangeproperties) -- [ADMX_NetworkConnections/NC_LanConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanconnect) -- [ADMX_NetworkConnections/NC_LanProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanproperties) -- [ADMX_NetworkConnections/NC_NewConnectionWizard](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-newconnectionwizard) -- [ADMX_NetworkConnections/NC_PersonalFirewallConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-personalfirewallconfig) -- [ADMX_NetworkConnections/NC_RasAllUserProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasalluserproperties) -- [ADMX_NetworkConnections/NC_RasChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-raschangeproperties) -- [ADMX_NetworkConnections/NC_RasConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasconnect) -- [ADMX_NetworkConnections/NC_RasMyProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasmyproperties) -- [ADMX_NetworkConnections/NC_RenameAllUserRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamealluserrasconnection) -- [ADMX_NetworkConnections/NC_RenameConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renameconnection) -- [ADMX_NetworkConnections/NC_RenameLanConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamelanconnection) -- [ADMX_NetworkConnections/NC_RenameMyRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamemyrasconnection) -- [ADMX_NetworkConnections/NC_ShowSharedAccessUI](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-showsharedaccessui) -- [ADMX_NetworkConnections/NC_Statistics](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-statistics) -- [ADMX_NetworkConnections/NC_StdDomainUserSetLocation](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-stddomainusersetlocation) -- [ADMX_OfflineFiles/Pol_AlwaysPinSubFolders](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-alwayspinsubfolders) -- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-1) -- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-2) -- [ADMX_OfflineFiles/Pol_BackgroundSyncSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-backgroundsyncsettings) -- [ADMX_OfflineFiles/Pol_CacheSize](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-cachesize) -- [ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-1) -- [ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-2) -- [ADMX_OfflineFiles/Pol_DefCacheSize](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-defcachesize) -- [ADMX_OfflineFiles/Pol_Enabled](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-enabled) -- [ADMX_OfflineFiles/Pol_EncryptOfflineFiles](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-encryptofflinefiles) -- [ADMX_OfflineFiles/Pol_EventLoggingLevel_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-1) -- [ADMX_OfflineFiles/Pol_EventLoggingLevel_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-2) -- [ADMX_OfflineFiles/Pol_ExclusionListSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-exclusionlistsettings) -- [ADMX_OfflineFiles/Pol_ExtExclusionList](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-extexclusionlist) -- [ADMX_OfflineFiles/Pol_GoOfflineAction_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-1) -- [ADMX_OfflineFiles/Pol_GoOfflineAction_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-2) -- [ADMX_OfflineFiles/Pol_NoCacheViewer_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-1) -- [ADMX_OfflineFiles/Pol_NoCacheViewer_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-2) -- [ADMX_OfflineFiles/Pol_NoConfigCache_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-1) -- [ADMX_OfflineFiles/Pol_NoConfigCache_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-2) -- [ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-1) -- [ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-2) -- [ADMX_OfflineFiles/Pol_NoPinFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-1) -- [ADMX_OfflineFiles/Pol_NoPinFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-2) -- [ADMX_OfflineFiles/Pol_NoReminders_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-1) -- [ADMX_OfflineFiles/Pol_NoReminders_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-2) -- [ADMX_OfflineFiles/Pol_OnlineCachingSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-onlinecachingsettings) -- [ADMX_OfflineFiles/Pol_PurgeAtLogoff](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-purgeatlogoff) -- [ADMX_OfflineFiles/Pol_QuickAdimPin](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-quickadimpin) -- [ADMX_OfflineFiles/Pol_ReminderFreq_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-1) -- [ADMX_OfflineFiles/Pol_ReminderFreq_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-2) -- [ADMX_OfflineFiles/Pol_ReminderInitTimeout_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-1) -- [ADMX_OfflineFiles/Pol_ReminderInitTimeout_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-2) -- [ADMX_OfflineFiles/Pol_ReminderTimeout_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-1) -- [ADMX_OfflineFiles/Pol_ReminderTimeout_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-2) -- [ADMX_OfflineFiles/Pol_SlowLinkSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinksettings) -- [ADMX_OfflineFiles/Pol_SlowLinkSpeed](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinkspeed) -- [ADMX_OfflineFiles/Pol_SyncAtLogoff_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-1) -- [ADMX_OfflineFiles/Pol_SyncAtLogoff_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-2) -- [ADMX_OfflineFiles/Pol_SyncAtLogon_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-1) -- [ADMX_OfflineFiles/Pol_SyncAtLogon_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-2) -- [ADMX_OfflineFiles/Pol_SyncAtSuspend_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-1) -- [ADMX_OfflineFiles/Pol_SyncAtSuspend_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-2) -- [ADMX_OfflineFiles/Pol_SyncOnCostedNetwork](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-synconcostednetwork) -- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-1) -- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-2) -- [ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomcomponentfailurespolicy) -- [ADMX_pca/DetectDeprecatedComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomponentfailurespolicy) -- [ADMX_pca/DetectInstallFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectinstallfailurespolicy) -- [ADMX_pca/DetectUndetectedInstallersPolicy](./policy-csp-admx-pca.md#admx-pca-detectundetectedinstallerspolicy) -- [ADMX_pca/DetectUpdateFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectupdatefailurespolicy) -- [ADMX_pca/DisablePcaUIPolicy](./policy-csp-admx-pca.md#admx-pca-disablepcauipolicy) -- [ADMX_pca/DetectBlockedDriversPolicy](./policy-csp-admx-pca.md#admx-pca-detectblockeddriverspolicy) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-distributed) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hosted) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-smb) -- [ADMX_PeerToPeerCaching/SetCachePercent](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setcachepercent) -- [ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdatacacheentrymaxage) -- [ADMX_PeerToPeerCaching/SetDowngrading](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdowngrading) -- [ADMX_PenTraining/PenTrainingOff_1](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_1) -- [ADMX_PenTraining/PenTrainingOff_2](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_2) -- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-1) -- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2) -- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3) -- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4) -- [ADMX_Power/ACConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-acconnectivityinstandby-2) -- [ADMX_Power/ACCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-accriticalsleeptransitionsdisable-2) -- [ADMX_Power/ACStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-acstartmenubuttonaction-2) -- [ADMX_Power/AllowSystemPowerRequestAC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestac) -- [ADMX_Power/AllowSystemPowerRequestDC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestdc) -- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopenac) -- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopendc) -- [ADMX_Power/CustomActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-customactiveschemeoverride-2) -- [ADMX_Power/DCBatteryDischargeAction0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction0-2) -- [ADMX_Power/DCBatteryDischargeAction1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction1-2) -- [ADMX_Power/DCBatteryDischargeLevel0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel0-2) -- [ADMX_Power/DCBatteryDischargeLevel1UINotification_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1uinotification-2) -- [ADMX_Power/DCBatteryDischargeLevel1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1-2) -- [ADMX_Power/DCConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-dcconnectivityinstandby-2) -- [ADMX_Power/DCCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-dccriticalsleeptransitionsdisable-2) -- [ADMX_Power/DCStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-dcstartmenubuttonaction-2) -- [ADMX_Power/DiskACPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskacpowerdowntimeout-2) -- [ADMX_Power/DiskDCPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskdcpowerdowntimeout-2) -- [ADMX_Power/Dont_PowerOff_AfterShutdown](./policy-csp-admx-power.md#admx-power-dont-poweroff-aftershutdown) -- [ADMX_Power/EnableDesktopSlideShowAC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowac) -- [ADMX_Power/EnableDesktopSlideShowDC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowdc) -- [ADMX_Power/InboxActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-inboxactiveschemeoverride-2) -- [ADMX_Power/PW_PromptPasswordOnResume](./policy-csp-admx-power.md#admx-power-pw-promptpasswordonresume) -- [ADMX_Power/PowerThrottlingTurnOff](./policy-csp-admx-power.md#admx-power-powerthrottlingturnoff) -- [ADMX_Power/ReserveBatteryNotificationLevel](./policy-csp-admx-power.md#admx-power-reservebatterynotificationlevel) -- [ADMX_PowerShellExecutionPolicy/EnableModuleLogging](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablemodulelogging) -- [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts) -- [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting) -- [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath) -- [ADMX_PreviousVersions/DisableLocalPage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_1) -- [ADMX_PreviousVersions/DisableLocalPage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_2) -- [ADMX_PreviousVersions/DisableRemotePage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_1) -- [ADMX_PreviousVersions/DisableRemotePage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_2) -- [ADMX_PreviousVersions/HideBackupEntries_1](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_1) -- [ADMX_PreviousVersions/HideBackupEntries_2](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_2) -- [ADMX_PreviousVersions/DisableLocalRestore_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_1) -- [ADMX_PreviousVersions/DisableLocalRestore_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_2) -- [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting) -- [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation) -- [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl) -- [ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate](./policy-csp-admx-printing.md#admx-printing-donotinstallcompatibledriverfromwindowsupdate) -- [ADMX_Printing/DomainPrinters](./policy-csp-admx-printing.md#admx-printing-domainprinters) -- [ADMX_Printing/DownlevelBrowse](./policy-csp-admx-printing.md#admx-printing-downlevelbrowse) -- [ADMX_Printing/EMFDespooling](./policy-csp-admx-printing.md#admx-printing-emfdespooling) -- [ADMX_Printing/ForceSoftwareRasterization](./policy-csp-admx-printing.md#admx-printing-forcesoftwarerasterization) -- [ADMX_Printing/IntranetPrintersUrl](./policy-csp-admx-printing.md#admx-printing-intranetprintersurl) -- [ADMX_Printing/KMPrintersAreBlocked](./policy-csp-admx-printing.md#admx-printing-kmprintersareblocked) -- [ADMX_Printing/LegacyDefaultPrinterMode](./policy-csp-admx-printing.md#admx-printing-legacydefaultprintermode) -- [ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS](./policy-csp-admx-printing.md#admx-printing-mxdwuselegacyoutputformatmsxps) -- [ADMX_Printing/NoDeletePrinter](./policy-csp-admx-printing.md#admx-printing-nodeleteprinter) -- [ADMX_Printing/NonDomainPrinters](./policy-csp-admx-printing.md#admx-printing-nondomainprinters) -- [ADMX_Printing/PackagePointAndPrintOnly](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly) -- [ADMX_Printing/PackagePointAndPrintOnly_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly-win7) -- [ADMX_Printing/PackagePointAndPrintServerList](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist) -- [ADMX_Printing/PackagePointAndPrintServerList_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist-win7) -- [ADMX_Printing/PhysicalLocation](./policy-csp-admx-printing.md#admx-printing-physicallocation) -- [ADMX_Printing/PhysicalLocationSupport](./policy-csp-admx-printing.md#admx-printing-physicallocationsupport) -- [ADMX_Printing/PrintDriverIsolationExecutionPolicy](./policy-csp-admx-printing.md#admx-printing-printdriverisolationexecutionpolicy -) -- [ADMX_Printing/PrintDriverIsolationOverrideCompat](./policy-csp-admx-printing.md#admx-printing-printdriverisolationoverridecompat) -- [ADMX_Printing/PrinterDirectorySearchScope](./policy-csp-admx-printing.md#admx-printing-printerdirectorysearchscope) -- [ADMX_Printing/PrinterServerThread](./policy-csp-admx-printing.md#admx-printing-printerserverthread) -- [ADMX_Printing/ShowJobTitleInEventLogs](./policy-csp-admx-printing.md#admx-printing-showjobtitleineventlogs) -- [ADMX_Printing/V4DriverDisallowPrinterExtension](./policy-csp-admx-printing.md#admx-printing-v4driverdisallowprinterextension) -- [ADMX_Printing2/AutoPublishing](./policy-csp-admx-printing2.md#admx-printing2-autopublishing) -- [ADMX_Printing2/ImmortalPrintQueue](./policy-csp-admx-printing2.md#admx-printing2-immortalprintqueue) -- [ADMX_Printing2/PruneDownlevel](./policy-csp-admx-printing2.md#admx-printing2-prunedownlevel) -- [ADMX_Printing2/PruningInterval](./policy-csp-admx-printing2.md#admx-printing2-pruninginterval) -- [ADMX_Printing2/PruningPriority](./policy-csp-admx-printing2.md#admx-printing2-pruningpriority) -- [ADMX_Printing2/PruningRetries](./policy-csp-admx-printing2.md#admx-printing2-pruningretries) -- [ADMX_Printing2/PruningRetryLog](./policy-csp-admx-printing2.md#admx-printing2-pruningretrylog) -- [ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint](./policy-csp-admx-printing2.md#admx-printing2-registerspoolerremoterpcendpoint) -- [ADMX_Printing2/VerifyPublishedState](./policy-csp-admx-printing2.md#admx-printing2-verifypublishedstate) -- [ADMX_Programs/NoDefaultPrograms](./policy-csp-admx-programs.md#admx-programs-nodefaultprograms) -- [ADMX_Programs/NoGetPrograms](./policy-csp-admx-programs.md#admx-programs-nogetprograms) -- [ADMX_Programs/NoInstalledUpdates](./policy-csp-admx-programs.md#admx-programs-noinstalledupdates) -- [ADMX_Programs/NoProgramsAndFeatures](./policy-csp-admx-programs.md#admx-programs-noprogramsandfeatures) -- [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl) -- [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures) -- [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace) -- [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) -- [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) -- [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) -- [ADMX_Reliability/ShutdownReason](./policy-csp-admx-reliability.md#admx-reliability-shutdownreason) -- [ADMX_RemoteAssistance/RA_EncryptedTicketOnly](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-encryptedticketonly) -- [ADMX_RemoteAssistance/RA_Optimize_Bandwidth](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-optimize-bandwidth) -- [ADMX_RemovableStorage/AccessRights_RebootTime_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-1) -- [ADMX_RemovableStorage/AccessRights_RebootTime_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-2) -- [ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyexecute-access-2) -- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-1) -- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-2) -- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-1) -- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-2) -- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-1) -- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-2) -- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-1) -- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-2) -- [ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyexecute-access-2) -- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-1) -- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-2) -- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-1) -- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-2) -- [ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyexecute-access-2) -- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-1) -- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-2) -- [ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denywrite-access-1) -- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-1) -- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-2) -- [ADMX_RemovableStorage/Removable_Remote_Allow_Access](./policy-csp-admx-removablestorage.md#admx-removablestorage-removable-remote-allow-access) -- [ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyexecute-access-2) -- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-1) -- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-2) -- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-1) -- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-2) -- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-1) -- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-2) -- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-1) -- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-2) -- [ADMX_RPC/RpcExtendedErrorInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcextendederrorinformation) -- [ADMX_RPC/RpcIgnoreDelegationFailure](./policy-csp-admx-rpc.md#admx-rpc-rpcignoredelegationfailure) -- [ADMX_RPC/RpcMinimumHttpConnectionTimeout](./policy-csp-admx-rpc.md#admx-rpc-rpcminimumhttpconnectiontimeout) -- [ADMX_RPC/RpcStateInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcstateinformation) -- [ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled](./policy-csp-admx-scripts.md#admx-scripts-allow-logon-script-netbiosdisabled) -- [ADMX_Scripts/MaxGPOScriptWaitPolicy](./policy-csp-admx-scripts.md#admx-scripts-maxgposcriptwaitpolicy) -- [ADMX_Scripts/Run_Computer_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-computer-ps-scripts-first) -- [ADMX_Scripts/Run_Legacy_Logon_Script_Hidden](./policy-csp-admx-scripts.md#admx-scripts-run-legacy-logon-script-hidden) -- [ADMX_Scripts/Run_Logoff_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-logoff-script-visible) -- [ADMX_Scripts/Run_Logon_Script_Sync_1](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-1) -- [ADMX_Scripts/Run_Logon_Script_Sync_2](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-2) -- [ADMX_Scripts/Run_Logon_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-visible) -- [ADMX_Scripts/Run_Shutdown_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-shutdown-script-visible) -- [ADMX_Scripts/Run_Startup_Script_Sync](./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-sync) -- [ADMX_Scripts/Run_Startup_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-visible) -- [ADMX_Scripts/Run_User_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-user-ps-scripts-first) -- [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected) -- [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) -- [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) -- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy) -- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](./policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) -- [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) -- [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) -- [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) -- [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) -- [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) -- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page) -- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate) -- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks) -- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager) -- [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) -- [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) -- [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) -- [ADMX_SettingSync/DisableCredentialsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablecredentialssettingsync) -- [ADMX_SettingSync/DisableDesktopThemeSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disabledesktopthemesettingsync) -- [ADMX_SettingSync/DisablePersonalizationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablepersonalizationsettingsync) -- [ADMX_SettingSync/DisableSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablesettingsync) -- [ADMX_SettingSync/DisableStartLayoutSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablestartlayoutsettingsync) -- [ADMX_SettingSync/DisableSyncOnPaidNetwork](./policy-csp-admx-settingsync.md#admx-settingsync-disablesynconpaidnetwork) -- [ADMX_SettingSync/DisableWindowsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablewindowssettingsync) -- [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots) -- [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders) -- [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing) -- [ADMX_ShellCommandPromptRegEditTools/DisallowApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps) -- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit) -- [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd) -- [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-restrictapps) -- [ADMX_Smartcard/AllowCertificatesWithNoEKU](./policy-csp-admx-smartcard.md#admx-smartcard-allowcertificateswithnoeku) -- [ADMX_Smartcard/AllowIntegratedUnblock](./policy-csp-admx-smartcard.md#admx-smartcard-allowintegratedunblock) -- [ADMX_Smartcard/AllowSignatureOnlyKeys](./policy-csp-admx-smartcard.md#admx-smartcard-allowsignatureonlykeys) -- [ADMX_Smartcard/AllowTimeInvalidCertificates](./policy-csp-admx-smartcard.md#admx-smartcard-allowtimeinvalidcertificates) -- [ADMX_Smartcard/CertPropEnabledString](./policy-csp-admx-smartcard.md#admx-smartcard-certpropenabledstring) -- [ADMX_Smartcard/CertPropRootCleanupString](./policy-csp-admx-smartcard.md#admx-smartcard-certproprootcleanupstring) -- [ADMX_Smartcard/CertPropRootEnabledString](./policy-csp-admx-smartcard.md#admx-smartcard-certproprootenabledstring) -- [ADMX_Smartcard/DisallowPlaintextPin](./policy-csp-admx-smartcard.md#admx-smartcard-disallowplaintextpin) -- [ADMX_Smartcard/EnumerateECCCerts](./policy-csp-admx-smartcard.md#admx-smartcard-enumerateecccerts) -- [ADMX_Smartcard/FilterDuplicateCerts](./policy-csp-admx-smartcard.md#admx-smartcard-filterduplicatecerts) -- [ADMX_Smartcard/ForceReadingAllCertificates](./policy-csp-admx-smartcard.md#admx-smartcard-forcereadingallcertificates) -- [ADMX_Smartcard/IntegratedUnblockPromptString](./policy-csp-admx-smartcard.md#admx-smartcard-integratedunblockpromptstring) -- [ADMX_Smartcard/ReverseSubject](./policy-csp-admx-smartcard.md#admx-smartcard-reversesubject) -- [ADMX_Smartcard/SCPnPEnabled](./policy-csp-admx-smartcard.md#admx-smartcard-scpnpenabled) -- [ADMX_Smartcard/SCPnPNotification](./policy-csp-admx-smartcard.md#admx-smartcard-scpnpnotification) -- [ADMX_Smartcard/X509HintsNeeded](./policy-csp-admx-smartcard.md#admx-smartcard-x509hintsneeded) -- [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) -- [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) -- [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) -- [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) -- [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) -- [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) -- [ADMX_StartMenu/ClearTilesOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-cleartilesonexit) -- [ADMX_StartMenu/DesktopAppsFirstInAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-desktopappsfirstinappsview) -- [ADMX_StartMenu/DisableGlobalSearchOnAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-disableglobalsearchonappsview) -- [ADMX_StartMenu/ForceStartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-forcestartmenulogoff) -- [ADMX_StartMenu/GoToDesktopOnSignIn](./policy-csp-admx-startmenu.md#admx-startmenu-gotodesktoponsignin) -- [ADMX_StartMenu/GreyMSIAds](./policy-csp-admx-startmenu.md#admx-startmenu-greymsiads) -- [ADMX_StartMenu/HidePowerOptions](./policy-csp-admx-startmenu.md#admx-startmenu-hidepoweroptions) -- [ADMX_StartMenu/Intellimenus](./policy-csp-admx-startmenu.md#admx-startmenu-intellimenus) -- [ADMX_StartMenu/LockTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-locktaskbar) -- [ADMX_StartMenu/MemCheckBoxInRunDlg](./policy-csp-admx-startmenu.md#admx-startmenu-memcheckboxinrundlg) -- [ADMX_StartMenu/NoAutoTrayNotify](./policy-csp-admx-startmenu.md#admx-startmenu-noautotraynotify) -- [ADMX_StartMenu/NoBalloonTip](./policy-csp-admx-startmenu.md#admx-startmenu-noballoontip) -- [ADMX_StartMenu/NoChangeStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nochangestartmenu) -- [ADMX_StartMenu/NoClose](./policy-csp-admx-startmenu.md#admx-startmenu-noclose) -- [ADMX_StartMenu/NoCommonGroups](./policy-csp-admx-startmenu.md#admx-startmenu-nocommongroups) -- [ADMX_StartMenu/NoFavoritesMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nofavoritesmenu) -- [ADMX_StartMenu/NoFind](./policy-csp-admx-startmenu.md#admx-startmenu-nofind) -- [ADMX_StartMenu/NoGamesFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nogamesfolderonstartmenu) -- [ADMX_StartMenu/NoHelp](./policy-csp-admx-startmenu.md#admx-startmenu-nohelp) -- [ADMX_StartMenu/NoInstrumentation](./policy-csp-admx-startmenu.md#admx-startmenu-noinstrumentation) -- [ADMX_StartMenu/NoMoreProgramsList](./policy-csp-admx-startmenu.md#admx-startmenu-nomoreprogramslist) -- [ADMX_StartMenu/NoNetAndDialupConnect](./policy-csp-admx-startmenu.md#admx-startmenu-nonetanddialupconnect) -- [ADMX_StartMenu/NoPinnedPrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nopinnedprograms) -- [ADMX_StartMenu/NoRecentDocsMenu](./policy-csp-admx-startmenu.md#admx-startmenu-norecentdocsmenu) -- [ADMX_StartMenu/NoResolveSearch](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvesearch) -- [ADMX_StartMenu/NoResolveTrack](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvetrack) -- [ADMX_StartMenu/NoRun](./policy-csp-admx-startmenu.md#admx-startmenu-norun) -- [ADMX_StartMenu/NoSMConfigurePrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nosmconfigureprograms) -- [ADMX_StartMenu/NoSMMyDocuments](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmydocuments) -- [ADMX_StartMenu/NoSMMyMusic](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmymusic) -- [ADMX_StartMenu/NoSMMyNetworkPlaces](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmynetworkplaces) -- [ADMX_StartMenu/NoSMMyPictures](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmypictures) -- [ADMX_StartMenu/NoSearchCommInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomminstartmenu) -- [ADMX_StartMenu/NoSearchComputerLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomputerlinkinstartmenu) -- [ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearcheverywherelinkinstartmenu) -- [ADMX_StartMenu/NoSearchFilesInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchfilesinstartmenu) -- [ADMX_StartMenu/NoSearchInternetInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchinternetinstartmenu) -- [ADMX_StartMenu/NoSearchProgramsInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchprogramsinstartmenu) -- [ADMX_StartMenu/NoSetFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nosetfolders) -- [ADMX_StartMenu/NoSetTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-nosettaskbar) -- [ADMX_StartMenu/NoStartMenuDownload](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenudownload) -- [ADMX_StartMenu/NoStartMenuHomegroup](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuhomegroup) -- [ADMX_StartMenu/NoStartMenuRecordedTV](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenurecordedtv) -- [ADMX_StartMenu/NoStartMenuSubFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenusubfolders) -- [ADMX_StartMenu/NoStartMenuVideos](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuvideos) -- [ADMX_StartMenu/NoStartPage](./policy-csp-admx-startmenu.md#admx-startmenu-nostartpage) -- [ADMX_StartMenu/NoTaskBarClock](./policy-csp-admx-startmenu.md#admx-startmenu-notaskbarclock) -- [ADMX_StartMenu/NoTaskGrouping](./policy-csp-admx-startmenu.md#admx-startmenu-notaskgrouping) -- [ADMX_StartMenu/NoToolbarsOnTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-notoolbarsontaskbar) -- [ADMX_StartMenu/NoTrayContextMenu](./policy-csp-admx-startmenu.md#admx-startmenu-notraycontextmenu) -- [ADMX_StartMenu/NoTrayItemsDisplay](./policy-csp-admx-startmenu.md#admx-startmenu-notrayitemsdisplay) -- [ADMX_StartMenu/NoUninstallFromStart](./policy-csp-admx-startmenu.md#admx-startmenu-nouninstallfromstart) -- [ADMX_StartMenu/NoUserFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nouserfolderonstartmenu) -- [ADMX_StartMenu/NoUserNameOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nousernameonstartmenu) -- [ADMX_StartMenu/NoWindowsUpdate](./policy-csp-admx-startmenu.md#admx-startmenu-nowindowsupdate) -- [ADMX_StartMenu/PowerButtonAction](./policy-csp-admx-startmenu.md#admx-startmenu-powerbuttonaction) -- [ADMX_StartMenu/QuickLaunchEnabled](./policy-csp-admx-startmenu.md#admx-startmenu-quicklaunchenabled) -- [ADMX_StartMenu/RemoveUnDockPCButton](./policy-csp-admx-startmenu.md#admx-startmenu-removeundockpcbutton) -- [ADMX_StartMenu/ShowAppsViewOnStart](./policy-csp-admx-startmenu.md#admx-startmenu-showappsviewonstart) -- [ADMX_StartMenu/ShowRunAsDifferentUserInStart](./policy-csp-admx-startmenu.md#admx-startmenu-showrunasdifferentuserinstart) -- [ADMX_StartMenu/ShowRunInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-showruninstartmenu) -- [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey) -- [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) -- [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) -- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig) -- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1) -- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1) -- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) -- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) -- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) -- [ADMX_Taskbar/HideSCANetwork](./policy-csp-admx-taskbar.md#admx-taskbar-hidescanetwork) -- [ADMX_Taskbar/HideSCAPower](./policy-csp-admx-taskbar.md#admx-taskbar-hidescapower) -- [ADMX_Taskbar/HideSCAVolume](./policy-csp-admx-taskbar.md#admx-taskbar-hidescavolume) -- [ADMX_Taskbar/NoBalloonFeatureAdvertisements](./policy-csp-admx-taskbar.md#admx-taskbar-noballoonfeatureadvertisements) -- [ADMX_Taskbar/NoPinningStoreToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningstoretotaskbar) -- [ADMX_Taskbar/NoPinningToDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtodestinations) -- [ADMX_Taskbar/NoPinningToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtotaskbar) -- [ADMX_Taskbar/NoRemoteDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-noremotedestinations) -- [ADMX_Taskbar/NoSystraySystemPromotion](./policy-csp-admx-taskbar.md#admx-taskbar-nosystraysystempromotion) -- [ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-showwindowsstoreappsontaskbar) -- [ADMX_Taskbar/TaskbarLockAll](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarlockall) -- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoaddremovetoolbar) -- [ADMX_Taskbar/TaskbarNoDragToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnodragtoolbar) -- [ADMX_Taskbar/TaskbarNoMultimon](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnomultimon) -- [ADMX_Taskbar/TaskbarNoNotification](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnonotification) -- [ADMX_Taskbar/TaskbarNoPinnedList](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnopinnedlist) -- [ADMX_Taskbar/TaskbarNoRedock](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoredock) -- [ADMX_Taskbar/TaskbarNoResize](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoresize) -- [ADMX_Taskbar/TaskbarNoThumbnail](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnothumbnail) -- [ADMX_tcpip/6to4_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name) -- [ADMX_tcpip/6to4_Router_Name_Resolution_Interval](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name-resolution-interval) -- [ADMX_tcpip/6to4_State](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-state) -- [ADMX_tcpip/IPHTTPS_ClientState](./policy-csp-admx-tcpip.md#admx-tcpip-iphttps-clientstate) -- [ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State](./policy-csp-admx-tcpip.md#admx-tcpip-ip-stateless-autoconfiguration-limits-state) -- [ADMX_tcpip/ISATAP_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-isatap-router-name) -- [ADMX_tcpip/ISATAP_State](./policy-csp-admx-tcpip.md#admx-tcpip-isatap-state) -- [ADMX_tcpip/Teredo_Client_Port](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-client-port) -- [ADMX_tcpip/Teredo_Default_Qualified](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-default-qualified) -- [ADMX_tcpip/Teredo_Refresh_Rate](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-refresh-rate) -- [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name) -- [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state) -- [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state) -- [ADMX_TerminalServer/TS_AUTO_RECONNECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect) -- [ADMX_TerminalServer/TS_CAMERA_REDIRECTION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection) -- [ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy) -- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1) -- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2) -- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1) -- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2) -- [ADMX_TerminalServer/TS_CLIENT_AUDIO](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio) -- [ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture) -- [ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality) -- [ADMX_TerminalServer/TS_CLIENT_CLIPBOARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard) -- [ADMX_TerminalServer/TS_CLIENT_COM](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com) -- [ADMX_TerminalServer/TS_CLIENT_DEFAULT_M](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m) -- [ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode) -- [ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1) -- [ADMX_TerminalServer/TS_CLIENT_LPT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt) -- [ADMX_TerminalServer/TS_CLIENT_PNP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp) -- [ADMX_TerminalServer/TS_CLIENT_PRINTER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer) -- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1) -- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2) -- [ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp) -- [ADMX_TerminalServer/TS_COLORDEPTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth) -- [ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles) -- [ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper) -- [ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu) -- [ADMX_TerminalServer/TS_EASY_PRINT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print) -- [ADMX_TerminalServer/TS_EASY_PRINT_User](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user) -- [ADMX_TerminalServer/TS_EnableVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics) -- [ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype) -- [ADMX_TerminalServer/TS_FORCIBLE_LOGOFF](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff) -- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable) -- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method) -- [ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server) -- [ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory) -- [ADMX_TerminalServer/TS_KEEP_ALIVE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive) -- [ADMX_TerminalServer/TS_LICENSE_SECGROUP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup) -- [ADMX_TerminalServer/TS_LICENSE_SERVERS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers) -- [ADMX_TerminalServer/TS_LICENSE_TOOLTIP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip) -- [ADMX_TerminalServer/TS_LICENSING_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode) -- [ADMX_TerminalServer/TS_MAX_CON_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy) -- [ADMX_TerminalServer/TS_MAXDISPLAYRES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres) -- [ADMX_TerminalServer/TS_MAXMONITOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor) -- [ADMX_TerminalServer/TS_NoDisconnectMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu) -- [ADMX_TerminalServer/TS_NoSecurityMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu) -- [ADMX_TerminalServer/TS_PreventLicenseUpgrade](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade) -- [ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp) -- [ADMX_TerminalServer/TS_RADC_DefaultConnection](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection) -- [ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration) -- [ADMX_TerminalServer/TS_RemoteControl_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1) -- [ADMX_TerminalServer/TS_RemoteControl_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2) -- [ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics) -- [ADMX_TerminalServer/TS_SD_ClustName](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname) -- [ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address) -- [ADMX_TerminalServer/TS_SD_Loc](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc) -- [ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy) -- [ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect) -- [ADMX_TerminalServer/TS_SELECT_TRANSPORT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport) -- [ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp) -- [ADMX_TerminalServer/TS_SERVER_AUTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth) -- [ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred) -- [ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred) -- [ADMX_TerminalServer/TS_SERVER_COMPRESSOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor) -- [ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality) -- [ADMX_TerminalServer/TS_SERVER_LEGACY_RFX](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx) -- [ADMX_TerminalServer/TS_SERVER_PROFILE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile) -- [ADMX_TerminalServer/TS_SERVER_VISEXP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp) -- [ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver) -- [ADMX_TerminalServer/TS_Session_End_On_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1) -- [ADMX_TerminalServer/TS_Session_End_On_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2) -- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1) -- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2) -- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1) -- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2) -- [ADMX_TerminalServer/TS_SESSIONS_Limits_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_1) -- [ADMX_TerminalServer/TS_SESSIONS_Limits_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_2) -- [ADMX_TerminalServer/TS_SINGLE_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session) -- [ADMX_TerminalServer/TS_SMART_CARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card) -- [ADMX_TerminalServer/TS_START_PROGRAM_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1) -- [ADMX_TerminalServer/TS_START_PROGRAM_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2) -- [ADMX_TerminalServer/TS_TEMP_DELETE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete) -- [ADMX_TerminalServer/TS_TEMP_PER_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session) -- [ADMX_TerminalServer/TS_TIME_ZONE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone) -- [ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy) -- [ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp) -- [ADMX_TerminalServer/TS_UIA](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia) -- [ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable) -- [ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy) -- [ADMX_TerminalServer/TS_USER_HOME](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home) -- [ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles) -- [ADMX_TerminalServer/TS_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles) -- [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) -- [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) -- [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) -- [ADMX_TouchInput/TouchInputOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_1) -- [ADMX_TouchInput/TouchInputOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_2) -- [ADMX_TouchInput/PanningEverywhereOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_1) -- [ADMX_TouchInput/PanningEverywhereOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_2) -- [ADMX_TPM/BlockedCommandsList_Name](./policy-csp-admx-tpm.md#admx-tpm-blockedcommandslist-name) -- [ADMX_TPM/ClearTPMIfNotReady_Name](./policy-csp-admx-tpm.md#admx-tpm-cleartpmifnotready-name) -- [ADMX_TPM/IgnoreDefaultList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignoredefaultlist-name) -- [ADMX_TPM/IgnoreLocalList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignorelocallist-name) -- [ADMX_TPM/OSManagedAuth_Name](./policy-csp-admx-tpm.md#admx-tpm-osmanagedauth-name) -- [ADMX_TPM/OptIntoDSHA_Name](./policy-csp-admx-tpm.md#admx-tpm-optintodsha-name) -- [ADMX_TPM/StandardUserAuthorizationFailureDuration_Name](./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailureduration-name) -- [ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name](./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailureindividualthreshold-name) -- [ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name](./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailuretotalthreshold-name) -- [ADMX_TPM/UseLegacyDAP_Name](./policy-csp-admx-tpm.md#admx-tpm-uselegacydap-name) -- [ADMX_UserExperienceVirtualization/Calculator](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-calculator) -- [ADMX_UserExperienceVirtualization/ConfigureSyncMethod](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-configuresyncmethod) -- [ADMX_UserExperienceVirtualization/ConfigureVdi](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-configurevdi) -- [ADMX_UserExperienceVirtualization/ContactITDescription](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-contactitdescription) -- [ADMX_UserExperienceVirtualization/ContactITUrl](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-contactiturl) -- [ADMX_UserExperienceVirtualization/DisableWin8Sync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-disablewin8sync) -- [ADMX_UserExperienceVirtualization/DisableWindowsOSSettings](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-disablewindowsossettings) -- [ADMX_UserExperienceVirtualization/EnableUEV](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-enableuev) -- [ADMX_UserExperienceVirtualization/Finance](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-finance) -- [ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-firstusenotificationenabled) -- [ADMX_UserExperienceVirtualization/Games](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-games) -- [ADMX_UserExperienceVirtualization/InternetExplorer8](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer8) -- [ADMX_UserExperienceVirtualization/InternetExplorer9](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer9) -- [ADMX_UserExperienceVirtualization/InternetExplorer10](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer10) -- [ADMX_UserExperienceVirtualization/InternetExplorer11](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer11) -- [ADMX_UserExperienceVirtualization/InternetExplorerCommon](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorercommon) -- [ADMX_UserExperienceVirtualization/Maps](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-maps) -- [ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-maxpackagesizeinbytes) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010access) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010common) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010excel) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010infopath) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010lync) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010onenote) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010outlook) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010powerpoint) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010project) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010publisher) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010sharepointdesigner) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010sharepointworkspace) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010visio) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010word) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013access) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013accessbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013common) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013commonbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013excel) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013excelbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013infopath) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013infopathbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013lync) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013lyncbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onedriveforbusiness) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onenote) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onenotebackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013outlook) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013outlookbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013powerpoint) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013powerpointbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013project) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013projectbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013publisher) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013publisherbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013sharepointdesigner) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013sharepointdesignerbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013uploadcenter) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013visio) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013visiobackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013word) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013wordbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016access) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016accessbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016common) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016commonbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016excel) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016excelbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016lync) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016lyncbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onedriveforbusiness) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onenote) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onenotebackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016outlook) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016outlookbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016powerpoint) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016powerpointbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016project) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016projectbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016publisher) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016publisherbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016uploadcenter) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016visio) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016visiobackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016word) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016wordbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365access2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365access2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365common2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365common2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365excel2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365excel2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365infopath2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365lync2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365lync2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365onenote2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365onenote2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365outlook2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365outlook2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365powerpoint2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365powerpoint2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365project2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365project2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365publisher2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365publisher2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365sharepointdesigner2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365visio2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365visio2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365word2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365word2016) -- [ADMX_UserExperienceVirtualization/Music](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-music) -- [ADMX_UserExperienceVirtualization/News](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-news) -- [ADMX_UserExperienceVirtualization/Notepad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-notepad) -- [ADMX_UserExperienceVirtualization/Reader](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-reader) -- [ADMX_UserExperienceVirtualization/RepositoryTimeout](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-repositorytimeout) -- [ADMX_UserExperienceVirtualization/SettingsStoragePath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-settingsstoragepath) -- [ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-settingstemplatecatalogpath) -- [ADMX_UserExperienceVirtualization/Sports](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-sports) -- [ADMX_UserExperienceVirtualization/SyncEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncenabled) -- [ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncovermeterednetwork) -- [ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncovermeterednetworkwhenroaming) -- [ADMX_UserExperienceVirtualization/SyncProviderPingEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncproviderpingenabled) -- [ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncunlistedwindows8apps) -- [ADMX_UserExperienceVirtualization/Travel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-travel) -- [ADMX_UserExperienceVirtualization/TrayIconEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-trayiconenabled) -- [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video) -- [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather) -- [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad) -- [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles) -- [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive) -- [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata) -- [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize) -- [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction) -- [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout) -- [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home) -- [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction) -- [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config) -- [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) -- [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) -- [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpserver) -- [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement) -- [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect) -- [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections) -- [ADMX_WDI/WdiDpsScenarioExecutionPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenarioexecutionpolicy) -- [ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenariodatasizelimitpolicy) -- [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1) -- [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2) -- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1) -- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2) -- [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar) -- [ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-checksamesourceandtargetforfranddfs) -- [ADMX_WindowsExplorer/ClassicShell](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-classicshell) -- [ADMX_WindowsExplorer/ConfirmFileDelete](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-confirmfiledelete) -- [ADMX_WindowsExplorer/DefaultLibrariesLocation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-defaultlibrarieslocation) -- [ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablebinddirectlytopropertysetstorage) -- [ADMX_WindowsExplorer/DisableIndexedLibraryExperience](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableindexedlibraryexperience) -- [ADMX_WindowsExplorer/DisableKnownFolders](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableknownfolders) -- [ADMX_WindowsExplorer/DisableSearchBoxSuggestions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablesearchboxsuggestions) -- [ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enableshellshortcuticonremotepath) -- [ADMX_WindowsExplorer/EnableSmartScreen](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enablesmartscreen) -- [ADMX_WindowsExplorer/EnforceShellExtensionSecurity](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enforceshellextensionsecurity) -- [ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-explorerribbonstartsminimized) -- [ADMX_WindowsExplorer/HideContentViewModeSnippets](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-hidecontentviewmodesnippets) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internet) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internetlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranet) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranetlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachine) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachinelockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restricted) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restrictedlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trusted) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trustedlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internet) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internetlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranet) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranetlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachine) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachinelockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restricted) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restrictedlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trusted) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trustedlockdown) -- [ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-linkresolveignorelinkinfo) -- [ADMX_WindowsExplorer/MaxRecentDocs](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-maxrecentdocs) -- [ADMX_WindowsExplorer/NoBackButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nobackbutton) -- [ADMX_WindowsExplorer/NoCDBurning](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocdburning) -- [ADMX_WindowsExplorer/NoCacheThumbNailPictures](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocachethumbnailpictures) -- [ADMX_WindowsExplorer/NoChangeAnimation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangeanimation) -- [ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangekeyboardnavigationindicators) -- [ADMX_WindowsExplorer/NoDFSTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodfstab) -- [ADMX_WindowsExplorer/NoDrives](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodrives) -- [ADMX_WindowsExplorer/NoEntireNetwork](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noentirenetwork) -- [ADMX_WindowsExplorer/NoFileMRU](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemru) -- [ADMX_WindowsExplorer/NoFileMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemenu) -- [ADMX_WindowsExplorer/NoFolderOptions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofolderoptions) -- [ADMX_WindowsExplorer/NoHardwareTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nohardwaretab) -- [ADMX_WindowsExplorer/NoManageMyComputerVerb](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomanagemycomputerverb) -- [ADMX_WindowsExplorer/NoMyComputerSharedDocuments](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomycomputershareddocuments) -- [ADMX_WindowsExplorer/NoNetConnectDisconnect](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonetconnectdisconnect) -- [ADMX_WindowsExplorer/NoNewAppAlert](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonewappalert) -- [ADMX_WindowsExplorer/NoPlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noplacesbar) -- [ADMX_WindowsExplorer/NoRecycleFiles](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norecyclefiles) -- [ADMX_WindowsExplorer/NoRunAsInstallPrompt](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norunasinstallprompt) -- [ADMX_WindowsExplorer/NoSearchInternetTryHarderButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosearchinternettryharderbutton) -- [ADMX_WindowsExplorer/NoSecurityTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosecuritytab) -- [ADMX_WindowsExplorer/NoShellSearchButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noshellsearchbutton) -- [ADMX_WindowsExplorer/NoStrCmpLogical](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nostrcmplogical) -- [ADMX_WindowsExplorer/NoViewContextMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewcontextmenu) -- [ADMX_WindowsExplorer/NoViewOnDrive](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewondrive) -- [ADMX_WindowsExplorer/NoWindowsHotKeys](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nowindowshotkeys) -- [ADMX_WindowsExplorer/NoWorkgroupContents](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noworkgroupcontents) -- [ADMX_WindowsExplorer/PlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-placesbar) -- [ADMX_WindowsExplorer/PromptRunasInstallNetPath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-promptrunasinstallnetpath) -- [ADMX_WindowsExplorer/RecycleBinSize](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-recyclebinsize) -- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-1) -- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-2) -- [ADMX_WindowsExplorer/ShowHibernateOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showhibernateoption) -- [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption) -- [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary) -- [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch) -- [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline) -- [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings) -- [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings) -- [ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurertspproxysettings) -- [ADMX_WindowsMediaPlayer/DisableAutoUpdate](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disableautoupdate) -- [ADMX_WindowsMediaPlayer/DisableNetworkSettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disablenetworksettings) -- [ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disablesetupfirstuseconfiguration) -- [ADMX_WindowsMediaPlayer/DoNotShowAnchor](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-donotshowanchor) -- [ADMX_WindowsMediaPlayer/DontUseFrameInterpolation](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-dontuseframeinterpolation) -- [ADMX_WindowsMediaPlayer/EnableScreenSaver](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-enablescreensaver) -- [ADMX_WindowsMediaPlayer/HidePrivacyTab](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-hideprivacytab) -- [ADMX_WindowsMediaPlayer/HideSecurityTab](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-hidesecuritytab) -- [ADMX_WindowsMediaPlayer/NetworkBuffering](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-networkbuffering) -- [ADMX_WindowsMediaPlayer/PolicyCodecUpdate](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-policycodecupdate) -- [ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventcddvdmetadataretrieval) -- [ADMX_WindowsMediaPlayer/PreventLibrarySharing](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventlibrarysharing) -- [ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventmusicfilemetadataretrieval) -- [ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventquicklaunchshortcut) -- [ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventradiopresetsretrieval) -- [ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventwmpdesktopshortcut) -- [ADMX_WindowsMediaPlayer/SkinLockDown](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-skinlockdown) -- [ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-windowsstreamingmediaprotocols) -- [ADMX_WindowsRemoteManagement/DisallowKerberos_1](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-1) -- [ADMX_WindowsRemoteManagement/DisallowKerberos_2](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-2) -- [ADMX_WindowsStore/DisableAutoDownloadWin8](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableautodownloadwin8) -- [ADMX_WindowsStore/DisableOSUpgrade_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-1) -- [ADMX_WindowsStore/DisableOSUpgrade_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-2) -- [ADMX_WindowsStore/RemoveWindowsStore_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-1) -- [ADMX_WindowsStore/RemoveWindowsStore_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-2) -- [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription) -- [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot) -- [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription) -- [ADMX_WinLogon/CustomShell](./policy-csp-admx-winlogon.md#admx-winlogon-customshell) -- [ADMX_WinLogon/DisplayLastLogonInfoDescription](./policy-csp-admx-winlogon.md#admx-winlogon-displaylastlogoninfodescription) -- [ADMX_WinLogon/LogonHoursNotificationPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhoursnotificationpolicydescription) -- [ADMX_WinLogon/LogonHoursPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhourspolicydescription) -- [ADMX_WinLogon/ReportCachedLogonPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-reportcachedlogonpolicydescription) -- [ADMX_WinLogon/SoftwareSASGeneration](./policy-csp-admx-winlogon.md#admx-winlogon-softwaresasgeneration) -- [ADMX_Winsrv/AllowBlockingAppsAtShutdown](./policy-csp-admx-winsrv.md#admx-winsrv-allowblockingappsatshutdown) -- [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost) -- [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced) -- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) -- [ADMX_WordWheel/CustomSearch](./policy-csp-admx-wordwheel.md#admx-wordwheel-customsearch) -- [ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenabletokenbroker) -- [ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenableworkfolders) -- [ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_machineenableworkfolders) -- [ADMX_WPN/NoCallsDuringQuietHours](./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours) -- [ADMX_WPN/NoLockScreenToastNotification](./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification) -- [ADMX_WPN/NoQuietHours](./policy-csp-admx-wpn.md#admx-wpn-noquiethours) -- [ADMX_WPN/NoToastNotification](./policy-csp-admx-wpn.md#admx-wpn-notoastnotification) -- [ADMX_WPN/QuietHoursDailyBeginMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailybeginminute) -- [ADMX_WPN/QuietHoursDailyEndMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailyendminute) -- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) -- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) -- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) -- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) -- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) -- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) -- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) -- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) -- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) -- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) -- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) -- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) -- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) -- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) -- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) -- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) -- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) -- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) -- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) -- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) -- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) -- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) -- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) -- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) -- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) -- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) -- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) -- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) -- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) -- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) -- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) -- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) -- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) -- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) -- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) -- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) -- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) -- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) -- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DesktopAppInstaller/EnableAdditionalSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources) -- [DesktopAppInstaller/EnableAppInstaller](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller) -- [DesktopAppInstaller/EnableLocalManifestFiles](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles) -- [DesktopAppInstaller/EnableHashOverride](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride) -- [DesktopAppInstaller/EnableMicrosoftStoreSource](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource) -- [DesktopAppInstaller/EnableMSAppInstallerProtocol](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol) -- [DesktopAppInstaller/EnableSettings](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings) -- [DesktopAppInstaller/EnableAllowedSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources) -- [DesktopAppInstaller/EnableExperimentalFeatures](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures) -- [DesktopAppInstaller/SourceAutoUpdateInterval](./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses) -- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) -- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) -- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) -- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) -- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) -- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) -- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) -- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) -- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) -- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) -- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) -- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) -- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) -- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) -- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) -- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) -- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) -- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) -- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) -- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) -- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) -- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) -- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) -- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) -- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) -- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) -- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) -- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) -- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) -- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) -- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) -- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) -- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) -- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) -- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) -- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) -- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) -- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) -- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) -- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) -- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) -- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) -- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) -- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) -- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) -- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) -- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) -- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) -- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) -- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) -- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) -- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) -- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) -- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) -- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) -- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) -- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) -- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) -- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) -- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) -- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) -- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) -- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) -- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) -- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) -- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) -- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) -- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) -- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) -- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) -- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) -- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) -- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) -- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) -- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) -- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) -- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) -- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) -- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) -- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) -- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) -- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) -- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) -- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) -- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) -- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) -- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) -- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) -- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) -- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) -- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) -- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) -- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) -- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) -- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) -- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) -- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) -- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) -- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) -- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) -- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) -- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) -- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) -- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) -- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) -- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) -- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) -- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) -- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) -- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) -- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) -- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) -- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) -- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) -- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) -- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) -- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) -- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) -- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) -- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) -- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) -- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) -- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) -- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) -- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) -- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) -- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) -- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) -- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) -- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) -- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) -- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) -- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) -- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) -- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) -- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) -- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) -- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) -- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) -- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) -- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) -- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) -- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) -- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) -- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) -- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) -- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) -- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) -- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) -- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) -- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) -- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) -- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) -- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) -- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) -- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) -- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) -- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) -- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) -- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) -- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) -- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) -- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) -- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) -- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) -- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) -- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) -- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) -- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) -- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) -- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) -- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) -- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) -- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) -- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) -- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) -- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) -- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) -- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) -- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) -- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) -- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) -- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) -- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) -- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) -- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) -- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) -- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) -- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) -- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) -- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) -- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) -- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) -- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) -- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) -- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) -- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) -- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) -- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) -- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) -- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) -- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) -- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) -- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) -- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) +This article lists the ADMX-backed policies in Policy CSP. -## Related topics +## ActiveXControls -[Policy CSP](policy-configuration-service-provider.md) +- [ApprovedInstallationSites](policy-csp-activexcontrols.md) + +## ADMX_ActiveXInstallService + +- [AxISURLZonePolicies](policy-csp-admx-activexinstallservice.md) + +## ADMX_AddRemovePrograms + +- [NoServices](policy-csp-admx-addremoveprograms.md) +- [NoAddPage](policy-csp-admx-addremoveprograms.md) +- [NoWindowsSetupPage](policy-csp-admx-addremoveprograms.md) +- [NoRemovePage](policy-csp-admx-addremoveprograms.md) +- [NoAddFromCDorFloppy](policy-csp-admx-addremoveprograms.md) +- [NoAddFromInternet](policy-csp-admx-addremoveprograms.md) +- [NoAddFromNetwork](policy-csp-admx-addremoveprograms.md) +- [NoChooseProgramsPage](policy-csp-admx-addremoveprograms.md) +- [NoAddRemovePrograms](policy-csp-admx-addremoveprograms.md) +- [NoSupportInfo](policy-csp-admx-addremoveprograms.md) +- [DefaultCategory](policy-csp-admx-addremoveprograms.md) + +## ADMX_AdmPwd + +- [POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](policy-csp-admx-admpwd.md) +- [POL_AdmPwd_Enabled](policy-csp-admx-admpwd.md) +- [POL_AdmPwd_AdminName](policy-csp-admx-admpwd.md) +- [POL_AdmPwd](policy-csp-admx-admpwd.md) + +## ADMX_AppCompat + +- [AppCompatTurnOffProgramCompatibilityAssistant_1](policy-csp-admx-appcompat.md) +- [AppCompatPrevent16BitMach](policy-csp-admx-appcompat.md) +- [AppCompatRemoveProgramCompatPropPage](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffEngine](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffApplicationImpactTelemetry](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffProgramInventory](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffProgramCompatibilityAssistant_2](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffUserActionRecord](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffSwitchBack](policy-csp-admx-appcompat.md) + +## ADMX_AppxPackageManager + +- [AllowDeploymentInSpecialProfiles](policy-csp-admx-appxpackagemanager.md) + +## ADMX_AppXRuntime + +- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md) +- [AppxRuntimeApplicationContentUriRules](policy-csp-admx-appxruntime.md) + +## ADMX_AttachmentManager + +- [AM_SetFileRiskLevel](policy-csp-admx-attachmentmanager.md) +- [AM_SetHighRiskInclusion](policy-csp-admx-attachmentmanager.md) +- [AM_SetLowRiskInclusion](policy-csp-admx-attachmentmanager.md) +- [AM_SetModRiskInclusion](policy-csp-admx-attachmentmanager.md) +- [AM_EstimateFileHandlerRisk](policy-csp-admx-attachmentmanager.md) + +## ADMX_AuditSettings + +- [IncludeCmdLine](policy-csp-admx-auditsettings.md) + +## ADMX_Bits + +- [BITS_EnablePeercaching](policy-csp-admx-bits.md) +- [BITS_DisableBranchCache](policy-csp-admx-bits.md) +- [BITS_DisablePeercachingClient](policy-csp-admx-bits.md) +- [BITS_DisablePeercachingServer](policy-csp-admx-bits.md) +- [BITS_MaxContentAge](policy-csp-admx-bits.md) +- [BITS_MaxCacheSize](policy-csp-admx-bits.md) +- [BITS_MaxDownloadTime](policy-csp-admx-bits.md) +- [BITS_MaxBandwidthServedForPeers](policy-csp-admx-bits.md) +- [BITS_MaxJobsPerUser](policy-csp-admx-bits.md) +- [BITS_MaxJobsPerMachine](policy-csp-admx-bits.md) +- [BITS_MaxFilesPerJob](policy-csp-admx-bits.md) +- [BITS_MaxRangesPerFile](policy-csp-admx-bits.md) +- [BITS_MaxBandwidthV2_Maintenance](policy-csp-admx-bits.md) +- [BITS_MaxBandwidthV2_Work](policy-csp-admx-bits.md) + +## ADMX_CipherSuiteOrder + +- [SSLCurveOrder](policy-csp-admx-ciphersuiteorder.md) +- [SSLCipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) + +## ADMX_COM + +- [AppMgmt_COM_SearchForCLSID_1](policy-csp-admx-com.md) +- [AppMgmt_COM_SearchForCLSID_2](policy-csp-admx-com.md) + +## ADMX_ControlPanel + +- [ForceClassicControlPanel](policy-csp-admx-controlpanel.md) +- [DisallowCpls](policy-csp-admx-controlpanel.md) +- [NoControlPanel](policy-csp-admx-controlpanel.md) +- [RestrictCpls](policy-csp-admx-controlpanel.md) + +## ADMX_ControlPanelDisplay + +- [CPL_Display_Disable](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Display_HideSettings](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_EnableScreenSaver](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetVisualStyle](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetScreenSaver](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_ScreenSaverIsSecure](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoColorAppearanceUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_DisableColorSchemeChoice](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoDesktopBackgroundUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoDesktopIconsUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoMousePointersUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoScreenSaverUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoSoundSchemeUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_DisableThemeChange](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_DisableVisualStyle](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_LockFontSize](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_ScreenSaverTimeOut](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoLockScreen](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md) + +## ADMX_Cpls + +- [UseDefaultTile](policy-csp-admx-cpls.md) + +## ADMX_CredentialProviders + +- [AllowDomainDelayLock](policy-csp-admx-credentialproviders.md) +- [DefaultCredentialProvider](policy-csp-admx-credentialproviders.md) +- [ExcludedCredentialProviders](policy-csp-admx-credentialproviders.md) + +## ADMX_CredSsp + +- [AllowDefaultCredentials](policy-csp-admx-credssp.md) +- [AllowDefCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) +- [AllowFreshCredentials](policy-csp-admx-credssp.md) +- [AllowFreshCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) +- [AllowSavedCredentials](policy-csp-admx-credssp.md) +- [AllowSavedCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) +- [DenyDefaultCredentials](policy-csp-admx-credssp.md) +- [DenyFreshCredentials](policy-csp-admx-credssp.md) +- [DenySavedCredentials](policy-csp-admx-credssp.md) +- [AllowEncryptionOracle](policy-csp-admx-credssp.md) +- [RestrictedRemoteAdministration](policy-csp-admx-credssp.md) + +## ADMX_CredUI + +- [NoLocalPasswordResetQuestions](policy-csp-admx-credui.md) +- [EnableSecureCredentialPrompting](policy-csp-admx-credui.md) + +## ADMX_CtrlAltDel + +- [DisableChangePassword](policy-csp-admx-ctrlaltdel.md) +- [DisableLockComputer](policy-csp-admx-ctrlaltdel.md) +- [NoLogoff](policy-csp-admx-ctrlaltdel.md) +- [DisableTaskMgr](policy-csp-admx-ctrlaltdel.md) + +## ADMX_DataCollection + +- [CommercialIdPolicy](policy-csp-admx-datacollection.md) + +## ADMX_DCOM + +- [DCOMActivationSecurityCheckAllowLocalList](policy-csp-admx-dcom.md) +- [DCOMActivationSecurityCheckExemptionList](policy-csp-admx-dcom.md) + +## ADMX_Desktop + +- [AD_EnableFilter](policy-csp-admx-desktop.md) +- [AD_HideDirectoryFolder](policy-csp-admx-desktop.md) +- [AD_QueryLimit](policy-csp-admx-desktop.md) +- [sz_AdminComponents_Title](policy-csp-admx-desktop.md) +- [sz_DWP_NoHTMLPaper](policy-csp-admx-desktop.md) +- [Wallpaper](policy-csp-admx-desktop.md) +- [NoActiveDesktop](policy-csp-admx-desktop.md) +- [sz_ATC_NoComponents](policy-csp-admx-desktop.md) +- [ForceActiveDesktopOn](policy-csp-admx-desktop.md) +- [sz_ATC_DisableAdd](policy-csp-admx-desktop.md) +- [NoActiveDesktopChanges](policy-csp-admx-desktop.md) +- [sz_ATC_DisableClose](policy-csp-admx-desktop.md) +- [sz_ATC_DisableDel](policy-csp-admx-desktop.md) +- [sz_ATC_DisableEdit](policy-csp-admx-desktop.md) +- [NoRecentDocsNetHood](policy-csp-admx-desktop.md) +- [NoSaveSettings](policy-csp-admx-desktop.md) +- [NoDesktop](policy-csp-admx-desktop.md) +- [NoInternetIcon](policy-csp-admx-desktop.md) +- [NoNetHood](policy-csp-admx-desktop.md) +- [sz_DB_DragDropClose](policy-csp-admx-desktop.md) +- [sz_DB_Moving](policy-csp-admx-desktop.md) +- [NoMyComputerIcon](policy-csp-admx-desktop.md) +- [NoMyDocumentsIcon](policy-csp-admx-desktop.md) +- [NoPropertiesMyComputer](policy-csp-admx-desktop.md) +- [NoPropertiesMyDocuments](policy-csp-admx-desktop.md) +- [NoRecycleBinProperties](policy-csp-admx-desktop.md) +- [NoRecycleBinIcon](policy-csp-admx-desktop.md) +- [NoDesktopCleanupWizard](policy-csp-admx-desktop.md) +- [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md) +- [NoDesktop](policy-csp-admx-desktop.md) + +## ADMX_DeviceCompat + +- [DeviceFlags](policy-csp-admx-devicecompat.md) +- [DriverShims](policy-csp-admx-devicecompat.md) + +## ADMX_DeviceGuard + +- [ConfigCIPolicy](policy-csp-admx-deviceguard.md) + +## ADMX_DeviceInstallation + +- [DeviceInstall_InstallTimeout](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_AllowAdminInstall](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_DeniedPolicy_SimpleText](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_DeniedPolicy_DetailText](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_Removable_Deny](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_Policy_RebootTime](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_SystemRestore](policy-csp-admx-deviceinstallation.md) +- [DriverInstall_Classes_AllowUser](policy-csp-admx-deviceinstallation.md) + +## ADMX_DeviceSetup + +- [DriverSearchPlaces_SearchOrderConfiguration](policy-csp-admx-devicesetup.md) +- [DeviceInstall_BalloonTips](policy-csp-admx-devicesetup.md) + +## ADMX_DFS + +- [DFSDiscoverDC](policy-csp-admx-dfs.md) + +## ADMX_DigitalLocker + +- [Digitalx_DiableApplication_TitleText_1](policy-csp-admx-digitallocker.md) +- [Digitalx_DiableApplication_TitleText_2](policy-csp-admx-digitallocker.md) + +## ADMX_DiskDiagnostic + +- [DfdAlertPolicy](policy-csp-admx-diskdiagnostic.md) +- [WdiScenarioExecutionPolicy](policy-csp-admx-diskdiagnostic.md) + +## ADMX_DiskNVCache + +- [BootResumePolicy](policy-csp-admx-disknvcache.md) +- [CachePowerModePolicy](policy-csp-admx-disknvcache.md) +- [FeatureOffPolicy](policy-csp-admx-disknvcache.md) +- [SolidStatePolicy](policy-csp-admx-disknvcache.md) + +## ADMX_DiskQuota + +- [DQ_RemovableMedia](policy-csp-admx-diskquota.md) +- [DQ_Enable](policy-csp-admx-diskquota.md) +- [DQ_Enforce](policy-csp-admx-diskquota.md) +- [DQ_LogEventOverLimit](policy-csp-admx-diskquota.md) +- [DQ_LogEventOverThreshold](policy-csp-admx-diskquota.md) +- [DQ_Limit](policy-csp-admx-diskquota.md) + +## ADMX_DistributedLinkTracking + +- [DLT_AllowDomainMode](policy-csp-admx-distributedlinktracking.md) + +## ADMX_DnsClient + +- [DNS_AppendToMultiLabelName](policy-csp-admx-dnsclient.md) +- [DNS_AllowFQDNNetBiosQueries](policy-csp-admx-dnsclient.md) +- [DNS_Domain](policy-csp-admx-dnsclient.md) +- [DNS_NameServer](policy-csp-admx-dnsclient.md) +- [DNS_SearchList](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationEnabled](policy-csp-admx-dnsclient.md) +- [DNS_IdnMapping](policy-csp-admx-dnsclient.md) +- [DNS_PreferLocalResponsesOverLowerOrderDns](policy-csp-admx-dnsclient.md) +- [DNS_PrimaryDnsSuffix](policy-csp-admx-dnsclient.md) +- [DNS_UseDomainNameDevolution](policy-csp-admx-dnsclient.md) +- [DNS_DomainNameDevolutionLevel](policy-csp-admx-dnsclient.md) +- [DNS_RegisterAdapterName](policy-csp-admx-dnsclient.md) +- [DNS_RegisterReverseLookup](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationRefreshInterval](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationOverwritesInConflict](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationTtl](policy-csp-admx-dnsclient.md) +- [DNS_IdnEncoding](policy-csp-admx-dnsclient.md) +- [Turn_Off_Multicast](policy-csp-admx-dnsclient.md) +- [DNS_SmartMultiHomedNameResolution](policy-csp-admx-dnsclient.md) +- [DNS_SmartProtocolReorder](policy-csp-admx-dnsclient.md) +- [DNS_UpdateSecurityLevel](policy-csp-admx-dnsclient.md) +- [DNS_UpdateTopLevelDomainZones](policy-csp-admx-dnsclient.md) + +## ADMX_DWM + +- [DwmDisallowAnimations_1](policy-csp-admx-dwm.md) +- [DwmDisallowColorizationColorChanges_1](policy-csp-admx-dwm.md) +- [DwmDefaultColorizationColor_1](policy-csp-admx-dwm.md) +- [DwmDisallowAnimations_2](policy-csp-admx-dwm.md) +- [DwmDisallowColorizationColorChanges_2](policy-csp-admx-dwm.md) +- [DwmDefaultColorizationColor_2](policy-csp-admx-dwm.md) + +## ADMX_EAIME + +- [L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](policy-csp-admx-eaime.md) +- [L_RestrictCharacterCodeRangeOfConversion](policy-csp-admx-eaime.md) +- [L_TurnOffCustomDictionary](policy-csp-admx-eaime.md) +- [L_TurnOffHistorybasedPredictiveInput](policy-csp-admx-eaime.md) +- [L_TurnOffInternetSearchIntegration](policy-csp-admx-eaime.md) +- [L_TurnOffOpenExtendedDictionary](policy-csp-admx-eaime.md) +- [L_TurnOffSavingAutoTuningDataToFile](policy-csp-admx-eaime.md) +- [L_TurnOnCloudCandidate](policy-csp-admx-eaime.md) +- [L_TurnOnCloudCandidateCHS](policy-csp-admx-eaime.md) +- [L_TurnOnLexiconUpdate](policy-csp-admx-eaime.md) +- [L_TurnOnLiveStickers](policy-csp-admx-eaime.md) +- [L_TurnOnMisconversionLoggingForMisconversionReport](policy-csp-admx-eaime.md) + +## ADMX_EncryptFilesonMove + +- [NoEncryptOnMove](policy-csp-admx-encryptfilesonmove.md) + +## ADMX_EnhancedStorage + +- [RootHubConnectedEnStorDevices](policy-csp-admx-enhancedstorage.md) +- [ApprovedEnStorDevices](policy-csp-admx-enhancedstorage.md) +- [ApprovedSilos](policy-csp-admx-enhancedstorage.md) +- [DisallowLegacyDiskDevices](policy-csp-admx-enhancedstorage.md) +- [DisablePasswordAuthentication](policy-csp-admx-enhancedstorage.md) +- [LockDeviceOnMachineLock](policy-csp-admx-enhancedstorage.md) + +## ADMX_ErrorReporting + +- [WerArchive_1](policy-csp-admx-errorreporting.md) +- [WerQueue_1](policy-csp-admx-errorreporting.md) +- [WerExlusion_1](policy-csp-admx-errorreporting.md) +- [WerAutoApproveOSDumps_1](policy-csp-admx-errorreporting.md) +- [WerDefaultConsent_1](policy-csp-admx-errorreporting.md) +- [WerConsentCustomize_1](policy-csp-admx-errorreporting.md) +- [WerConsentOverride_1](policy-csp-admx-errorreporting.md) +- [WerNoLogging_1](policy-csp-admx-errorreporting.md) +- [WerDisable_1](policy-csp-admx-errorreporting.md) +- [WerNoSecondLevelData_1](policy-csp-admx-errorreporting.md) +- [WerBypassDataThrottling_1](policy-csp-admx-errorreporting.md) +- [WerBypassPowerThrottling_1](policy-csp-admx-errorreporting.md) +- [WerBypassNetworkCostThrottling_1](policy-csp-admx-errorreporting.md) +- [WerCER](policy-csp-admx-errorreporting.md) +- [WerArchive_2](policy-csp-admx-errorreporting.md) +- [WerQueue_2](policy-csp-admx-errorreporting.md) +- [PCH_AllOrNoneDef](policy-csp-admx-errorreporting.md) +- [PCH_AllOrNoneInc](policy-csp-admx-errorreporting.md) +- [WerExlusion_2](policy-csp-admx-errorreporting.md) +- [PCH_AllOrNoneEx](policy-csp-admx-errorreporting.md) +- [PCH_ReportOperatingSystemFaults](policy-csp-admx-errorreporting.md) +- [WerAutoApproveOSDumps_2](policy-csp-admx-errorreporting.md) +- [PCH_ConfigureReport](policy-csp-admx-errorreporting.md) +- [WerDefaultConsent_2](policy-csp-admx-errorreporting.md) +- [WerConsentOverride_2](policy-csp-admx-errorreporting.md) +- [WerNoLogging_2](policy-csp-admx-errorreporting.md) +- [WerBypassDataThrottling_2](policy-csp-admx-errorreporting.md) +- [WerBypassPowerThrottling_2](policy-csp-admx-errorreporting.md) +- [WerBypassNetworkCostThrottling_2](policy-csp-admx-errorreporting.md) + +## ADMX_EventForwarding + +- [ForwarderResourceUsage](policy-csp-admx-eventforwarding.md) +- [SubscriptionManager](policy-csp-admx-eventforwarding.md) + +## ADMX_EventLog + +- [Channel_Log_AutoBackup_1](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_1](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_5](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_1](policy-csp-admx-eventlog.md) +- [Channel_Log_AutoBackup_2](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_2](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_6](policy-csp-admx-eventlog.md) +- [Channel_Log_Retention_2](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_2](policy-csp-admx-eventlog.md) +- [Channel_Log_AutoBackup_3](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_3](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_7](policy-csp-admx-eventlog.md) +- [Channel_Log_Retention_3](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_3](policy-csp-admx-eventlog.md) +- [Channel_LogMaxSize_3](policy-csp-admx-eventlog.md) +- [Channel_LogEnabled](policy-csp-admx-eventlog.md) +- [Channel_Log_AutoBackup_4](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_4](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_8](policy-csp-admx-eventlog.md) +- [Channel_Log_Retention_4](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_4](policy-csp-admx-eventlog.md) + +## ADMX_EventLogging + +- [EnableProtectedEventLogging](policy-csp-admx-eventlogging.md) + +## ADMX_EventViewer + +- [EventViewer_RedirectionProgram](policy-csp-admx-eventviewer.md) +- [EventViewer_RedirectionProgramCommandLineParameters](policy-csp-admx-eventviewer.md) +- [EventViewer_RedirectionURL](policy-csp-admx-eventviewer.md) + +## ADMX_Explorer + +- [AlwaysShowClassicMenu](policy-csp-admx-explorer.md) +- [PreventItemCreationInUsersFilesFolder](policy-csp-admx-explorer.md) +- [TurnOffSPIAnimations](policy-csp-admx-explorer.md) +- [DisableRoamedProfileInit](policy-csp-admx-explorer.md) +- [AdminInfoUrl](policy-csp-admx-explorer.md) + +## ADMX_ExternalBoot + +- [PortableOperatingSystem_Hibernate](policy-csp-admx-externalboot.md) +- [PortableOperatingSystem_Sleep](policy-csp-admx-externalboot.md) +- [PortableOperatingSystem_Launcher](policy-csp-admx-externalboot.md) + +## ADMX_FileRecovery + +- [WdiScenarioExecutionPolicy](policy-csp-admx-filerecovery.md) + +## ADMX_FileRevocation + +- [DelegatedPackageFamilyNames](policy-csp-admx-filerevocation.md) + +## ADMX_FileServerVSSProvider + +- [Pol_EncryptProtocol](policy-csp-admx-fileservervssprovider.md) + +## ADMX_FileSys + +- [DisableDeleteNotification](policy-csp-admx-filesys.md) +- [LongPathsEnabled](policy-csp-admx-filesys.md) +- [DisableCompression](policy-csp-admx-filesys.md) +- [DisableEncryption](policy-csp-admx-filesys.md) +- [TxfDeprecatedFunctionality](policy-csp-admx-filesys.md) +- [EnablePagefileEncryption](policy-csp-admx-filesys.md) +- [ShortNameCreationSettings](policy-csp-admx-filesys.md) +- [SymlinkEvaluation](policy-csp-admx-filesys.md) + +## ADMX_FolderRedirection + +- [DisableFRAdminPin](policy-csp-admx-folderredirection.md) +- [DisableFRAdminPinByFolder](policy-csp-admx-folderredirection.md) +- [FolderRedirectionEnableCacheRename](policy-csp-admx-folderredirection.md) +- [PrimaryComputer_FR_1](policy-csp-admx-folderredirection.md) +- [LocalizeXPRelativePaths_1](policy-csp-admx-folderredirection.md) +- [PrimaryComputer_FR_2](policy-csp-admx-folderredirection.md) +- [LocalizeXPRelativePaths_2](policy-csp-admx-folderredirection.md) + +## ADMX_FramePanes + +- [NoReadingPane](policy-csp-admx-framepanes.md) +- [NoPreviewPane](policy-csp-admx-framepanes.md) + +## ADMX_fthsvc + +- [WdiScenarioExecutionPolicy](policy-csp-admx-fthsvc.md) + +## ADMX_Globalization + +- [ImplicitDataCollectionOff_1](policy-csp-admx-globalization.md) +- [HideAdminOptions](policy-csp-admx-globalization.md) +- [HideCurrentLocation](policy-csp-admx-globalization.md) +- [HideLanguageSelection](policy-csp-admx-globalization.md) +- [HideLocaleSelectAndCustomize](policy-csp-admx-globalization.md) +- [RestrictUILangSelect](policy-csp-admx-globalization.md) +- [LockUserUILanguage](policy-csp-admx-globalization.md) +- [TurnOffAutocorrectMisspelledWords](policy-csp-admx-globalization.md) +- [TurnOffHighlightMisspelledWords](policy-csp-admx-globalization.md) +- [TurnOffInsertSpace](policy-csp-admx-globalization.md) +- [TurnOffOfferTextPredictions](policy-csp-admx-globalization.md) +- [Y2K](policy-csp-admx-globalization.md) +- [PreventGeoIdChange_1](policy-csp-admx-globalization.md) +- [CustomLocalesNoSelect_1](policy-csp-admx-globalization.md) +- [PreventUserOverrides_1](policy-csp-admx-globalization.md) +- [LocaleUserRestrict_1](policy-csp-admx-globalization.md) +- [ImplicitDataCollectionOff_2](policy-csp-admx-globalization.md) +- [LockMachineUILanguage](policy-csp-admx-globalization.md) +- [PreventGeoIdChange_2](policy-csp-admx-globalization.md) +- [BlockUserInputMethodsForSignIn](policy-csp-admx-globalization.md) +- [CustomLocalesNoSelect_2](policy-csp-admx-globalization.md) +- [PreventUserOverrides_2](policy-csp-admx-globalization.md) +- [LocaleSystemRestrict](policy-csp-admx-globalization.md) +- [LocaleUserRestrict_2](policy-csp-admx-globalization.md) + +## ADMX_GroupPolicy + +- [GPDCOptions](policy-csp-admx-grouppolicy.md) +- [GPTransferRate_1](policy-csp-admx-grouppolicy.md) +- [NewGPOLinksDisabled](policy-csp-admx-grouppolicy.md) +- [DenyRsopToInteractiveUser_1](policy-csp-admx-grouppolicy.md) +- [EnforcePoliciesOnly](policy-csp-admx-grouppolicy.md) +- [NewGPODisplayName](policy-csp-admx-grouppolicy.md) +- [GroupPolicyRefreshRateUser](policy-csp-admx-grouppolicy.md) +- [DisableAutoADMUpdate](policy-csp-admx-grouppolicy.md) +- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md) +- [AllowX-ForestPolicy-and-RUP](policy-csp-admx-grouppolicy.md) +- [OnlyUseLocalAdminFiles](policy-csp-admx-grouppolicy.md) +- [SlowlinkDefaultToAsync](policy-csp-admx-grouppolicy.md) +- [SlowLinkDefaultForDirectAccess](policy-csp-admx-grouppolicy.md) +- [CSE_DiskQuota](policy-csp-admx-grouppolicy.md) +- [CSE_EFSRecovery](policy-csp-admx-grouppolicy.md) +- [CSE_FolderRedirection](policy-csp-admx-grouppolicy.md) +- [EnableLogonOptimization](policy-csp-admx-grouppolicy.md) +- [GPTransferRate_2](policy-csp-admx-grouppolicy.md) +- [CSE_IEM](policy-csp-admx-grouppolicy.md) +- [CSE_IPSecurity](policy-csp-admx-grouppolicy.md) +- [LogonScriptDelay](policy-csp-admx-grouppolicy.md) +- [CSE_Registry](policy-csp-admx-grouppolicy.md) +- [CSE_Scripts](policy-csp-admx-grouppolicy.md) +- [CSE_Security](policy-csp-admx-grouppolicy.md) +- [CSE_AppMgmt](policy-csp-admx-grouppolicy.md) +- [UserPolicyMode](policy-csp-admx-grouppolicy.md) +- [CSE_Wired](policy-csp-admx-grouppolicy.md) +- [CSE_Wireless](policy-csp-admx-grouppolicy.md) +- [EnableCDP](policy-csp-admx-grouppolicy.md) +- [DenyRsopToInteractiveUser_2](policy-csp-admx-grouppolicy.md) +- [ResetDfsClientInfoDuringRefreshPolicy](policy-csp-admx-grouppolicy.md) +- [EnableLogonOptimizationOnServerSKU](policy-csp-admx-grouppolicy.md) +- [EnableMMX](policy-csp-admx-grouppolicy.md) +- [DisableUsersFromMachGP](policy-csp-admx-grouppolicy.md) +- [GroupPolicyRefreshRate](policy-csp-admx-grouppolicy.md) +- [GroupPolicyRefreshRateDC](policy-csp-admx-grouppolicy.md) +- [SyncWaitTime](policy-csp-admx-grouppolicy.md) +- [CorpConnSyncWaitTime](policy-csp-admx-grouppolicy.md) +- [DisableBackgroundPolicy](policy-csp-admx-grouppolicy.md) +- [DisableAOACProcessing](policy-csp-admx-grouppolicy.md) +- [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md) +- [RSoPLogging](policy-csp-admx-grouppolicy.md) +- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md) +- [FontMitigation](policy-csp-admx-grouppolicy.md) + +## ADMX_Help + +- [RestrictRunFromHelp](policy-csp-admx-help.md) +- [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md) +- [RestrictRunFromHelp_Comp](policy-csp-admx-help.md) +- [DisableHHDEP](policy-csp-admx-help.md) + +## ADMX_HelpAndSupport + +- [HPImplicitFeedback](policy-csp-admx-helpandsupport.md) +- [HPExplicitFeedback](policy-csp-admx-helpandsupport.md) +- [HPOnlineAssistance](policy-csp-admx-helpandsupport.md) +- [ActiveHelp](policy-csp-admx-helpandsupport.md) + +## ADMX_hotspotauth + +- [HotspotAuth_Enable](policy-csp-admx-hotspotauth.md) + +## ADMX_ICM + +- [ShellNoUseStoreOpenWith_1](policy-csp-admx-icm.md) +- [DisableWebPnPDownload_1](policy-csp-admx-icm.md) +- [ShellPreventWPWDownload_1](policy-csp-admx-icm.md) +- [ShellNoUseInternetOpenWith_1](policy-csp-admx-icm.md) +- [DisableHTTPPrinting_1](policy-csp-admx-icm.md) +- [ShellRemoveOrderPrints_1](policy-csp-admx-icm.md) +- [ShellRemovePublishToWeb_1](policy-csp-admx-icm.md) +- [WinMSG_NoInstrumentation_1](policy-csp-admx-icm.md) +- [InternetManagement_RestrictCommunication_1](policy-csp-admx-icm.md) +- [RemoveWindowsUpdate_ICM](policy-csp-admx-icm.md) +- [ShellNoUseStoreOpenWith_2](policy-csp-admx-icm.md) +- [CertMgr_DisableAutoRootUpdates](policy-csp-admx-icm.md) +- [EventViewer_DisableLinks](policy-csp-admx-icm.md) +- [HSS_HeadlinesPolicy](policy-csp-admx-icm.md) +- [HSS_KBSearchPolicy](policy-csp-admx-icm.md) +- [NC_ExitOnISP](policy-csp-admx-icm.md) +- [ShellNoUseInternetOpenWith_2](policy-csp-admx-icm.md) +- [NC_NoRegistration](policy-csp-admx-icm.md) +- [SearchCompanion_DisableFileUpdates](policy-csp-admx-icm.md) +- [ShellRemoveOrderPrints_2](policy-csp-admx-icm.md) +- [ShellRemovePublishToWeb_2](policy-csp-admx-icm.md) +- [WinMSG_NoInstrumentation_2](policy-csp-admx-icm.md) +- [CEIPEnable](policy-csp-admx-icm.md) +- [PCH_DoNotReport](policy-csp-admx-icm.md) +- [DriverSearchPlaces_DontSearchWindowsUpdate](policy-csp-admx-icm.md) +- [InternetManagement_RestrictCommunication_2](policy-csp-admx-icm.md) + +## ADMX_IIS + +- [PreventIISInstall](policy-csp-admx-iis.md) + +## ADMX_iSCSI + +- [iSCSIGeneral_RestrictAdditionalLogins](policy-csp-admx-iscsi.md) +- [iSCSIGeneral_ChangeIQNName](policy-csp-admx-iscsi.md) +- [iSCSISecurity_ChangeCHAPSecret](policy-csp-admx-iscsi.md) +- [iSCSISecurity_RequireIPSec](policy-csp-admx-iscsi.md) +- [iSCSISecurity_RequireMutualCHAP](policy-csp-admx-iscsi.md) +- [iSCSISecurity_RequireOneWayCHAP](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_NewStaticTargets](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_ConfigureTargets](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_ConfigureiSNSServers](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_ConfigureTargetPortals](policy-csp-admx-iscsi.md) + +## ADMX_kdc + +- [CbacAndArmor](policy-csp-admx-kdc.md) +- [PKINITFreshness](policy-csp-admx-kdc.md) +- [emitlili](policy-csp-admx-kdc.md) +- [RequestCompoundId](policy-csp-admx-kdc.md) +- [ForestSearch](policy-csp-admx-kdc.md) +- [TicketSizeThreshold](policy-csp-admx-kdc.md) + +## ADMX_Kerberos + +- [AlwaysSendCompoundId](policy-csp-admx-kerberos.md) +- [HostToRealm](policy-csp-admx-kerberos.md) +- [MitRealms](policy-csp-admx-kerberos.md) +- [KdcProxyDisableServerRevocationCheck](policy-csp-admx-kerberos.md) +- [StrictTarget](policy-csp-admx-kerberos.md) +- [KdcProxyServer](policy-csp-admx-kerberos.md) +- [ServerAcceptsCompound](policy-csp-admx-kerberos.md) +- [DevicePKInitEnabled](policy-csp-admx-kerberos.md) + +## ADMX_LanmanServer + +- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanserver.md) +- [Pol_HashPublication](policy-csp-admx-lanmanserver.md) +- [Pol_HashSupportVersion](policy-csp-admx-lanmanserver.md) +- [Pol_HonorCipherSuiteOrder](policy-csp-admx-lanmanserver.md) + +## ADMX_LanmanWorkstation + +- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanworkstation.md) +- [Pol_EnableHandleCachingForCAFiles](policy-csp-admx-lanmanworkstation.md) +- [Pol_EnableOfflineFilesforCAShares](policy-csp-admx-lanmanworkstation.md) + +## ADMX_LeakDiagnostic + +- [WdiScenarioExecutionPolicy](policy-csp-admx-leakdiagnostic.md) + +## ADMX_LinkLayerTopologyDiscovery + +- [LLTD_EnableLLTDIO](policy-csp-admx-linklayertopologydiscovery.md) +- [LLTD_EnableRspndr](policy-csp-admx-linklayertopologydiscovery.md) + +## ADMX_LocationProviderAdm + +- [DisableWindowsLocationProvider_1](policy-csp-admx-locationprovideradm.md) + +## ADMX_Logon + +- [NoWelcomeTips_1](policy-csp-admx-logon.md) +- [DisableExplorerRunLegacy_1](policy-csp-admx-logon.md) +- [DisableExplorerRunOnceLegacy_1](policy-csp-admx-logon.md) +- [Run_1](policy-csp-admx-logon.md) +- [VerboseStatus](policy-csp-admx-logon.md) +- [UseOEMBackground](policy-csp-admx-logon.md) +- [SyncForegroundPolicy](policy-csp-admx-logon.md) +- [BlockUserFromShowingAccountDetailsOnSignin](policy-csp-admx-logon.md) +- [NoWelcomeTips_2](policy-csp-admx-logon.md) +- [DontEnumerateConnectedUsers](policy-csp-admx-logon.md) +- [DisableExplorerRunLegacy_2](policy-csp-admx-logon.md) +- [DisableExplorerRunOnceLegacy_2](policy-csp-admx-logon.md) +- [Run_2](policy-csp-admx-logon.md) +- [DisableAcrylicBackgroundOnLogon](policy-csp-admx-logon.md) +- [DisableStatusMessages](policy-csp-admx-logon.md) + +## ADMX_MicrosoftDefenderAntivirus + +- [ServiceKeepAlive](policy-csp-admx-microsoftdefenderantivirus.md) +- [AllowFastServiceStartup](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_CustomDefaultActionToastString](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_UILockdown](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_Notification_Suppress](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_SuppressRebootNotification](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableLocalAdminMerge](policy-csp-admx-microsoftdefenderantivirus.md) +- [ProxyBypass](policy-csp-admx-microsoftdefenderantivirus.md) +- [ProxyPacUrl](policy-csp-admx-microsoftdefenderantivirus.md) +- [ProxyServer](policy-csp-admx-microsoftdefenderantivirus.md) +- [Exclusions_Extensions](policy-csp-admx-microsoftdefenderantivirus.md) +- [Exclusions_Paths](policy-csp-admx-microsoftdefenderantivirus.md) +- [Exclusions_Processes](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableAutoExclusions](policy-csp-admx-microsoftdefenderantivirus.md) +- [Spynet_LocalSettingOverrideSpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableBlockAtFirstSeen](policy-csp-admx-microsoftdefenderantivirus.md) +- [SpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ASR_Rules](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ASR_ASROnlyExclusions](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ControlledFolderAccess_AllowedApplications](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ControlledFolderAccess_ProtectedFolders](policy-csp-admx-microsoftdefenderantivirus.md) +- [MpEngine_EnableFileHashComputation](policy-csp-admx-microsoftdefenderantivirus.md) +- [Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](policy-csp-admx-microsoftdefenderantivirus.md) +- [Nis_Consumers_IPS_DisableSignatureRetirement](policy-csp-admx-microsoftdefenderantivirus.md) +- [Nis_DisableProtocolRecognition](policy-csp-admx-microsoftdefenderantivirus.md) +- [Quarantine_LocalSettingOverridePurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Quarantine_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) +- [RandomizeScheduleTaskTimes](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_IOAVMaxSize](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableScanOnRealtimeEnable](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableRawWriteNotification](policy-csp-admx-microsoftdefenderantivirus.md) +- [Remediation_LocalSettingOverrideScan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Remediation_Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Remediation_Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_CriticalFailureTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_NonCriticalTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_RecentlyCleanedTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_AdditionalActionTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_DisablegenericrePorts](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_WppTracingComponents](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_WppTracingLevel](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_DisableEnhancedNotifications](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_AllowPause](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideAvgCPULoadFactor](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScheduleQuickScantime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScanParameters](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LowCpuPriority](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableRestorePoint](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_MissedScheduledScanCountBeforeCatchup](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableScanningMappedNetworkDrivesForFullScan](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableArchiveScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableScanningNetworkFiles](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisablePackedExeScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableRemovableDriveScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_QuickScanInterval](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ArchiveMaxDepth](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ArchiveMaxSize](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ScanOnlyIfIdle](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableEmailScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableHeuristics](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableReparsePointScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_SignatureDisableNotification](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_RealtimeSignatureDelivery](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ForceUpdateFromMU](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DisableScheduledSignatureUpdateonBattery](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_UpdateOnStartup](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DefinitionUpdateFileSharesSources](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_SharedSignaturesLocation](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_SignatureUpdateCatchupInterval](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ASSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_AVSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_FallbackOrder](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DisableUpdateOnStartupWithoutEngine](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DisableScanOnUpdate](policy-csp-admx-microsoftdefenderantivirus.md) +- [Threats_ThreatIdDefaultAction](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableAntiSpywareDefender](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableRoutinelyTakingAction](policy-csp-admx-microsoftdefenderantivirus.md) + +## ADMX_MMC + +- [MMC_Restrict_Author](policy-csp-admx-mmc.md) +- [MMC_Restrict_To_Permitted_Snapins](policy-csp-admx-mmc.md) +- [MMC_ActiveXControl](policy-csp-admx-mmc.md) +- [MMC_ExtendView](policy-csp-admx-mmc.md) +- [MMC_LinkToWeb](policy-csp-admx-mmc.md) + +## ADMX_MMCSnapins + +- [MMC_Net_Framework](policy-csp-admx-mmcsnapins.md) +- [MMC_ActiveDirDomTrusts](policy-csp-admx-mmcsnapins.md) +- [MMC_ActiveDirSitesServices](policy-csp-admx-mmcsnapins.md) +- [MMC_ActiveDirUsersComp](policy-csp-admx-mmcsnapins.md) +- [MMC_ADSI](policy-csp-admx-mmcsnapins.md) +- [MMC_CertsTemplate](policy-csp-admx-mmcsnapins.md) +- [MMC_Certs](policy-csp-admx-mmcsnapins.md) +- [MMC_CertAuth](policy-csp-admx-mmcsnapins.md) +- [MMC_ComponentServices](policy-csp-admx-mmcsnapins.md) +- [MMC_ComputerManagement](policy-csp-admx-mmcsnapins.md) +- [MMC_DeviceManager_2](policy-csp-admx-mmcsnapins.md) +- [MMC_DiskDefrag](policy-csp-admx-mmcsnapins.md) +- [MMC_DiskMgmt](policy-csp-admx-mmcsnapins.md) +- [MMC_DFS](policy-csp-admx-mmcsnapins.md) +- [MMC_EnterprisePKI](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_3](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_4](policy-csp-admx-mmcsnapins.md) +- [MMC_AppleTalkRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_AuthMan](policy-csp-admx-mmcsnapins.md) +- [MMC_CertAuthPolSet](policy-csp-admx-mmcsnapins.md) +- [MMC_ConnectionSharingNAT](policy-csp-admx-mmcsnapins.md) +- [MMC_DCOMCFG](policy-csp-admx-mmcsnapins.md) +- [MMC_DeviceManager_1](policy-csp-admx-mmcsnapins.md) +- [MMC_DHCPRelayMgmt](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_1](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_2](policy-csp-admx-mmcsnapins.md) +- [MMC_IASLogging](policy-csp-admx-mmcsnapins.md) +- [MMC_IGMPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPXRIPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPXRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPXSAPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_LogicalMappedDrives](policy-csp-admx-mmcsnapins.md) +- [MMC_OSPFRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_PublicKey](policy-csp-admx-mmcsnapins.md) +- [MMC_RAS_DialinUser](policy-csp-admx-mmcsnapins.md) +- [MMC_RemoteAccess](policy-csp-admx-mmcsnapins.md) +- [MMC_RemStore](policy-csp-admx-mmcsnapins.md) +- [MMC_RIPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_Routing](policy-csp-admx-mmcsnapins.md) +- [MMC_SendConsoleMessage](policy-csp-admx-mmcsnapins.md) +- [MMC_ServiceDependencies](policy-csp-admx-mmcsnapins.md) +- [MMC_SharedFolders_Ext](policy-csp-admx-mmcsnapins.md) +- [MMC_SMTPProtocol](policy-csp-admx-mmcsnapins.md) +- [MMC_SNMP](policy-csp-admx-mmcsnapins.md) +- [MMC_SysProp](policy-csp-admx-mmcsnapins.md) +- [MMC_FailoverClusters](policy-csp-admx-mmcsnapins.md) +- [MMC_FAXService](policy-csp-admx-mmcsnapins.md) +- [MMC_FrontPageExt](policy-csp-admx-mmcsnapins.md) +- [MMC_GroupPolicyManagementSnapIn](policy-csp-admx-mmcsnapins.md) +- [MMC_GroupPolicySnapIn](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMComputers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMUsers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_FolderRedirection_1](policy-csp-admx-mmcsnapins.md) +- [MMC_IEMaintenance_1](policy-csp-admx-mmcsnapins.md) +- [MMC_IPSecManage_GP](policy-csp-admx-mmcsnapins.md) +- [MMC_NapSnap_GP](policy-csp-admx-mmcsnapins.md) +- [MMC_RIS](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsUser_1](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsMachine_1](policy-csp-admx-mmcsnapins.md) +- [MMC_SecuritySettings_1](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstalationComputers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstallationUsers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_WindowsFirewall_GP](policy-csp-admx-mmcsnapins.md) +- [MMC_WiredNetworkPolicy](policy-csp-admx-mmcsnapins.md) +- [MMC_WirelessNetworkPolicy](policy-csp-admx-mmcsnapins.md) +- [MMC_GroupPolicyTab](policy-csp-admx-mmcsnapins.md) +- [MMC_ResultantSetOfPolicySnapIn](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMComputers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMUsers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_FolderRedirection_2](policy-csp-admx-mmcsnapins.md) +- [MMC_IEMaintenance_2](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsUser_2](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsMachine_2](policy-csp-admx-mmcsnapins.md) +- [MMC_SecuritySettings_2](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstalationComputers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstallationUsers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_HRA](policy-csp-admx-mmcsnapins.md) +- [MMC_IndexingService](policy-csp-admx-mmcsnapins.md) +- [MMC_IAS](policy-csp-admx-mmcsnapins.md) +- [MMC_IIS](policy-csp-admx-mmcsnapins.md) +- [MMC_IpSecMonitor](policy-csp-admx-mmcsnapins.md) +- [MMC_IpSecManage](policy-csp-admx-mmcsnapins.md) +- [MMC_LocalUsersGroups](policy-csp-admx-mmcsnapins.md) +- [MMC_NapSnap](policy-csp-admx-mmcsnapins.md) +- [MMC_NPSUI](policy-csp-admx-mmcsnapins.md) +- [MMC_OCSP](policy-csp-admx-mmcsnapins.md) +- [MMC_PerfLogsAlerts](policy-csp-admx-mmcsnapins.md) +- [MMC_QoSAdmission](policy-csp-admx-mmcsnapins.md) +- [MMC_TerminalServices](policy-csp-admx-mmcsnapins.md) +- [MMC_RemoteDesktop](policy-csp-admx-mmcsnapins.md) +- [MMC_RSM](policy-csp-admx-mmcsnapins.md) +- [MMC_RRA](policy-csp-admx-mmcsnapins.md) +- [MMC_SCA](policy-csp-admx-mmcsnapins.md) +- [MMC_SecurityTemplates](policy-csp-admx-mmcsnapins.md) +- [MMC_ServerManager](policy-csp-admx-mmcsnapins.md) +- [MMC_Services](policy-csp-admx-mmcsnapins.md) +- [MMC_SharedFolders](policy-csp-admx-mmcsnapins.md) +- [MMC_SysInfo](policy-csp-admx-mmcsnapins.md) +- [MMC_Telephony](policy-csp-admx-mmcsnapins.md) +- [MMC_TPMManagement](policy-csp-admx-mmcsnapins.md) +- [MMC_WindowsFirewall](policy-csp-admx-mmcsnapins.md) +- [MMC_WirelessMon](policy-csp-admx-mmcsnapins.md) +- [MMC_WMI](policy-csp-admx-mmcsnapins.md) + +## ADMX_MobilePCMobilityCenter + +- [MobilityCenterEnable_1](policy-csp-admx-mobilepcmobilitycenter.md) +- [MobilityCenterEnable_2](policy-csp-admx-mobilepcmobilitycenter.md) + +## ADMX_MobilePCPresentationSettings + +- [PresentationSettingsEnable_1](policy-csp-admx-mobilepcpresentationsettings.md) +- [PresentationSettingsEnable_2](policy-csp-admx-mobilepcpresentationsettings.md) + +## ADMX_MSAPolicy + +- [MicrosoftAccount_DisableUserAuth](policy-csp-admx-msapolicy.md) + +## ADMX_msched + +- [ActivationBoundaryPolicy](policy-csp-admx-msched.md) +- [RandomDelayPolicy](policy-csp-admx-msched.md) + +## ADMX_MSDT + +- [WdiScenarioExecutionPolicy](policy-csp-admx-msdt.md) +- [MsdtToolDownloadPolicy](policy-csp-admx-msdt.md) +- [MsdtSupportProvider](policy-csp-admx-msdt.md) + +## ADMX_MSI + +- [DisableMedia](policy-csp-admx-msi.md) +- [DisableRollback_1](policy-csp-admx-msi.md) +- [SearchOrder](policy-csp-admx-msi.md) +- [AllowLockdownBrowse](policy-csp-admx-msi.md) +- [AllowLockdownPatch](policy-csp-admx-msi.md) +- [AllowLockdownMedia](policy-csp-admx-msi.md) +- [MSI_MaxPatchCacheSize](policy-csp-admx-msi.md) +- [MSI_EnforceUpgradeComponentRules](policy-csp-admx-msi.md) +- [MsiDisableEmbeddedUI](policy-csp-admx-msi.md) +- [SafeForScripting](policy-csp-admx-msi.md) +- [DisablePatch](policy-csp-admx-msi.md) +- [DisableFlyweightPatching](policy-csp-admx-msi.md) +- [MSI_DisableLUAPatching](policy-csp-admx-msi.md) +- [MSI_DisablePatchUninstall](policy-csp-admx-msi.md) +- [DisableRollback_2](policy-csp-admx-msi.md) +- [DisableAutomaticApplicationShutdown](policy-csp-admx-msi.md) +- [MSI_DisableUserInstalls](policy-csp-admx-msi.md) +- [DisableBrowse](policy-csp-admx-msi.md) +- [TransformsSecure](policy-csp-admx-msi.md) +- [MSILogging](policy-csp-admx-msi.md) +- [MSI_DisableSRCheckPoints](policy-csp-admx-msi.md) +- [DisableLoggingFromPackage](policy-csp-admx-msi.md) +- [DisableSharedComponent](policy-csp-admx-msi.md) +- [DisableMSI](policy-csp-admx-msi.md) + +## ADMX_MsiFileRecovery + +- [WdiScenarioExecutionPolicy](policy-csp-admx-msifilerecovery.md) + +## ADMX_MSS-legacy + +- [Pol_MSS_AutoAdminLogon](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_AutoReboot](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_AutoShareServer](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_AutoShareWks](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_DisableSavePassword](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_EnableDeadGWDetect](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_HideFromBrowseList](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_KeepAliveTime](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_NoDefaultExempt](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_NtfsDisable8dot3NameCreation](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_PerformRouterDiscovery](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_SafeDllSearchMode](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_ScreenSaverGracePeriod](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_SynAttackProtect](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_TcpMaxConnectResponseRetransmissions](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_TcpMaxDataRetransmissionsIPv6](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_TcpMaxDataRetransmissions](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_WarningLevel](policy-csp-admx-mss-legacy.md) + +## ADMX_nca + +- [CorporateResources](policy-csp-admx-nca.md) +- [CustomCommands](policy-csp-admx-nca.md) +- [PassiveMode](policy-csp-admx-nca.md) +- [FriendlyName](policy-csp-admx-nca.md) +- [DTEs](policy-csp-admx-nca.md) +- [LocalNamesOn](policy-csp-admx-nca.md) +- [SupportEmail](policy-csp-admx-nca.md) +- [ShowUI](policy-csp-admx-nca.md) + +## ADMX_NCSI + +- [NCSI_CorpDnsProbeContent](policy-csp-admx-ncsi.md) +- [NCSI_CorpDnsProbeHost](policy-csp-admx-ncsi.md) +- [NCSI_CorpSitePrefixes](policy-csp-admx-ncsi.md) +- [NCSI_CorpWebProbeUrl](policy-csp-admx-ncsi.md) +- [NCSI_DomainLocationDeterminationUrl](policy-csp-admx-ncsi.md) +- [NCSI_GlobalDns](policy-csp-admx-ncsi.md) +- [NCSI_PassivePolling](policy-csp-admx-ncsi.md) + +## ADMX_Netlogon + +- [Netlogon_AllowNT4Crypto](policy-csp-admx-netlogon.md) +- [Netlogon_AvoidPdcOnWan](policy-csp-admx-netlogon.md) +- [Netlogon_IgnoreIncomingMailslotMessages](policy-csp-admx-netlogon.md) +- [Netlogon_AvoidFallbackNetbiosDiscovery](policy-csp-admx-netlogon.md) +- [Netlogon_ForceRediscoveryInterval](policy-csp-admx-netlogon.md) +- [Netlogon_AddressTypeReturned](policy-csp-admx-netlogon.md) +- [Netlogon_LdapSrvPriority](policy-csp-admx-netlogon.md) +- [Netlogon_DnsTtl](policy-csp-admx-netlogon.md) +- [Netlogon_LdapSrvWeight](policy-csp-admx-netlogon.md) +- [Netlogon_AddressLookupOnPingBehavior](policy-csp-admx-netlogon.md) +- [Netlogon_DnsAvoidRegisterRecords](policy-csp-admx-netlogon.md) +- [Netlogon_UseDynamicDns](policy-csp-admx-netlogon.md) +- [Netlogon_DnsRefreshInterval](policy-csp-admx-netlogon.md) +- [Netlogon_NdncSiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_SiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_GcSiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_TryNextClosestSite](policy-csp-admx-netlogon.md) +- [Netlogon_AutoSiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_AllowDnsSuffixSearch](policy-csp-admx-netlogon.md) +- [Netlogon_AllowSingleLabelDnsDomain](policy-csp-admx-netlogon.md) +- [Netlogon_DnsSrvRecordUseLowerCaseHostNames](policy-csp-admx-netlogon.md) +- [Netlogon_NetlogonShareCompatibilityMode](policy-csp-admx-netlogon.md) +- [Netlogon_ScavengeInterval](policy-csp-admx-netlogon.md) +- [Netlogon_SysvolShareCompatibilityMode](policy-csp-admx-netlogon.md) +- [Netlogon_ExpectedDialupDelay](policy-csp-admx-netlogon.md) +- [Netlogon_DebugFlag](policy-csp-admx-netlogon.md) +- [Netlogon_MaximumLogFileSize](policy-csp-admx-netlogon.md) +- [Netlogon_NegativeCachePeriod](policy-csp-admx-netlogon.md) +- [Netlogon_NonBackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_SiteName](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundRetryQuitTime](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundRetryInitialPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundRetryMaximumPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_PingUrgencyMode](policy-csp-admx-netlogon.md) + +## ADMX_NetworkConnections + +- [NC_RasAllUserProperties](policy-csp-admx-networkconnections.md) +- [NC_DeleteAllUserConnection](policy-csp-admx-networkconnections.md) +- [NC_LanConnect](policy-csp-admx-networkconnections.md) +- [NC_RenameAllUserRasConnection](policy-csp-admx-networkconnections.md) +- [NC_RenameLanConnection](policy-csp-admx-networkconnections.md) +- [NC_RenameConnection](policy-csp-admx-networkconnections.md) +- [NC_EnableAdminProhibits](policy-csp-admx-networkconnections.md) +- [NC_LanProperties](policy-csp-admx-networkconnections.md) +- [NC_LanChangeProperties](policy-csp-admx-networkconnections.md) +- [NC_RasChangeProperties](policy-csp-admx-networkconnections.md) +- [NC_AdvancedSettings](policy-csp-admx-networkconnections.md) +- [NC_NewConnectionWizard](policy-csp-admx-networkconnections.md) +- [NC_DialupPrefs](policy-csp-admx-networkconnections.md) +- [NC_AddRemoveComponents](policy-csp-admx-networkconnections.md) +- [NC_RasMyProperties](policy-csp-admx-networkconnections.md) +- [NC_RasConnect](policy-csp-admx-networkconnections.md) +- [NC_DeleteConnection](policy-csp-admx-networkconnections.md) +- [NC_ChangeBindState](policy-csp-admx-networkconnections.md) +- [NC_RenameMyRasConnection](policy-csp-admx-networkconnections.md) +- [NC_AllowAdvancedTCPIPConfig](policy-csp-admx-networkconnections.md) +- [NC_Statistics](policy-csp-admx-networkconnections.md) +- [NC_IpStateChecking](policy-csp-admx-networkconnections.md) +- [NC_DoNotShowLocalOnlyIcon](policy-csp-admx-networkconnections.md) +- [NC_PersonalFirewallConfig](policy-csp-admx-networkconnections.md) +- [NC_ShowSharedAccessUI](policy-csp-admx-networkconnections.md) +- [NC_StdDomainUserSetLocation](policy-csp-admx-networkconnections.md) +- [NC_ForceTunneling](policy-csp-admx-networkconnections.md) + +## ADMX_OfflineFiles + +- [Pol_GoOfflineAction_1](policy-csp-admx-offlinefiles.md) +- [Pol_EventLoggingLevel_1](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderInitTimeout_1](policy-csp-admx-offlinefiles.md) +- [Pol_CustomGoOfflineActions_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoCacheViewer_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoConfigCache_1](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderFreq_1](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderTimeout_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoMakeAvailableOffline_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoPinFiles_1](policy-csp-admx-offlinefiles.md) +- [Pol_WorkOfflineDisabled_1](policy-csp-admx-offlinefiles.md) +- [Pol_AssignedOfflineFiles_1](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogoff_1](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogon_1](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtSuspend_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoReminders_1](policy-csp-admx-offlinefiles.md) +- [Pol_GoOfflineAction_2](policy-csp-admx-offlinefiles.md) +- [Pol_Enabled](policy-csp-admx-offlinefiles.md) +- [Pol_PurgeAtLogoff](policy-csp-admx-offlinefiles.md) +- [Pol_BackgroundSyncSettings](policy-csp-admx-offlinefiles.md) +- [Pol_SlowLinkSpeed](policy-csp-admx-offlinefiles.md) +- [Pol_SlowLinkSettings](policy-csp-admx-offlinefiles.md) +- [Pol_DefCacheSize](policy-csp-admx-offlinefiles.md) +- [Pol_ExclusionListSettings](policy-csp-admx-offlinefiles.md) +- [Pol_SyncOnCostedNetwork](policy-csp-admx-offlinefiles.md) +- [Pol_OnlineCachingSettings](policy-csp-admx-offlinefiles.md) +- [Pol_EncryptOfflineFiles](policy-csp-admx-offlinefiles.md) +- [Pol_EventLoggingLevel_2](policy-csp-admx-offlinefiles.md) +- [Pol_ExtExclusionList](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderInitTimeout_2](policy-csp-admx-offlinefiles.md) +- [Pol_CacheSize](policy-csp-admx-offlinefiles.md) +- [Pol_CustomGoOfflineActions_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoCacheViewer_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoConfigCache_2](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderFreq_2](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderTimeout_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoMakeAvailableOffline_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoPinFiles_2](policy-csp-admx-offlinefiles.md) +- [Pol_WorkOfflineDisabled_2](policy-csp-admx-offlinefiles.md) +- [Pol_AssignedOfflineFiles_2](policy-csp-admx-offlinefiles.md) +- [Pol_AlwaysPinSubFolders](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogoff_2](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogon_2](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtSuspend_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoReminders_2](policy-csp-admx-offlinefiles.md) +- [Pol_QuickAdimPin](policy-csp-admx-offlinefiles.md) + +## ADMX_pca + +- [DetectDeprecatedCOMComponentFailuresPolicy](policy-csp-admx-pca.md) +- [DetectDeprecatedComponentFailuresPolicy](policy-csp-admx-pca.md) +- [DetectInstallFailuresPolicy](policy-csp-admx-pca.md) +- [DetectUndetectedInstallersPolicy](policy-csp-admx-pca.md) +- [DetectUpdateFailuresPolicy](policy-csp-admx-pca.md) +- [DisablePcaUIPolicy](policy-csp-admx-pca.md) +- [DetectBlockedDriversPolicy](policy-csp-admx-pca.md) + +## ADMX_PeerToPeerCaching + +- [EnableWindowsBranchCache_SMB](policy-csp-admx-peertopeercaching.md) +- [SetDowngrading](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_HostedMultipleServers](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_HostedCacheDiscovery](policy-csp-admx-peertopeercaching.md) +- [SetDataCacheEntryMaxAge](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_Distributed](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_Hosted](policy-csp-admx-peertopeercaching.md) +- [SetCachePercent](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache](policy-csp-admx-peertopeercaching.md) + +## ADMX_PenTraining + +- [PenTrainingOff_1](policy-csp-admx-pentraining.md) +- [PenTrainingOff_2](policy-csp-admx-pentraining.md) + +## ADMX_PerformanceDiagnostics + +- [WdiScenarioExecutionPolicy_1](policy-csp-admx-performancediagnostics.md) +- [WdiScenarioExecutionPolicy_3](policy-csp-admx-performancediagnostics.md) +- [WdiScenarioExecutionPolicy_4](policy-csp-admx-performancediagnostics.md) +- [WdiScenarioExecutionPolicy_2](policy-csp-admx-performancediagnostics.md) + +## ADMX_Power + +- [PW_PromptPasswordOnResume](policy-csp-admx-power.md) +- [Dont_PowerOff_AfterShutdown](policy-csp-admx-power.md) +- [DCStartMenuButtonAction_2](policy-csp-admx-power.md) +- [ACStartMenuButtonAction_2](policy-csp-admx-power.md) +- [DiskDCPowerDownTimeOut_2](policy-csp-admx-power.md) +- [DiskACPowerDownTimeOut_2](policy-csp-admx-power.md) +- [DCBatteryDischargeAction0_2](policy-csp-admx-power.md) +- [DCBatteryDischargeLevel0_2](policy-csp-admx-power.md) +- [DCBatteryDischargeAction1_2](policy-csp-admx-power.md) +- [DCBatteryDischargeLevel1_2](policy-csp-admx-power.md) +- [ReserveBatteryNotificationLevel](policy-csp-admx-power.md) +- [DCBatteryDischargeLevel1UINotification_2](policy-csp-admx-power.md) +- [PowerThrottlingTurnOff](policy-csp-admx-power.md) +- [InboxActiveSchemeOverride_2](policy-csp-admx-power.md) +- [AllowSystemPowerRequestDC](policy-csp-admx-power.md) +- [AllowSystemPowerRequestAC](policy-csp-admx-power.md) +- [AllowSystemSleepWithRemoteFilesOpenDC](policy-csp-admx-power.md) +- [AllowSystemSleepWithRemoteFilesOpenAC](policy-csp-admx-power.md) +- [DCConnectivityInStandby_2](policy-csp-admx-power.md) +- [ACConnectivityInStandby_2](policy-csp-admx-power.md) +- [DCCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md) +- [ACCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md) +- [CustomActiveSchemeOverride_2](policy-csp-admx-power.md) +- [EnableDesktopSlideShowDC](policy-csp-admx-power.md) +- [EnableDesktopSlideShowAC](policy-csp-admx-power.md) + +## ADMX_PowerShellExecutionPolicy + +- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md) + +## ADMX_PreviousVersions + +- [DisableLocalPage_1](policy-csp-admx-previousversions.md) +- [DisableRemotePage_1](policy-csp-admx-previousversions.md) +- [HideBackupEntries_1](policy-csp-admx-previousversions.md) +- [DisableLocalRestore_1](policy-csp-admx-previousversions.md) +- [DisableBackupRestore_1](policy-csp-admx-previousversions.md) +- [DisableRemoteRestore_1](policy-csp-admx-previousversions.md) +- [DisableLocalPage_2](policy-csp-admx-previousversions.md) +- [DisableRemotePage_2](policy-csp-admx-previousversions.md) +- [HideBackupEntries_2](policy-csp-admx-previousversions.md) +- [DisableLocalRestore_2](policy-csp-admx-previousversions.md) +- [DisableBackupRestore_2](policy-csp-admx-previousversions.md) +- [DisableRemoteRestore_2](policy-csp-admx-previousversions.md) + +## ADMX_Printing + +- [IntranetPrintersUrl](policy-csp-admx-printing.md) +- [DownlevelBrowse](policy-csp-admx-printing.md) +- [PrinterDirectorySearchScope](policy-csp-admx-printing.md) +- [PackagePointAndPrintOnly](policy-csp-admx-printing.md) +- [PackagePointAndPrintServerList](policy-csp-admx-printing.md) +- [NoDeletePrinter](policy-csp-admx-printing.md) +- [LegacyDefaultPrinterMode](policy-csp-admx-printing.md) +- [AllowWebPrinting](policy-csp-admx-printing.md) +- [DomainPrinters](policy-csp-admx-printing.md) +- [NonDomainPrinters](policy-csp-admx-printing.md) +- [ShowJobTitleInEventLogs](policy-csp-admx-printing.md) +- [ForceSoftwareRasterization](policy-csp-admx-printing.md) +- [EMFDespooling](policy-csp-admx-printing.md) +- [MXDWUseLegacyOutputFormatMSXPS](policy-csp-admx-printing.md) +- [PhysicalLocation](policy-csp-admx-printing.md) +- [CustomizedSupportUrl](policy-csp-admx-printing.md) +- [KMPrintersAreBlocked](policy-csp-admx-printing.md) +- [V4DriverDisallowPrinterExtension](policy-csp-admx-printing.md) +- [PrintDriverIsolationExecutionPolicy](policy-csp-admx-printing.md) +- [DoNotInstallCompatibleDriverFromWindowsUpdate](policy-csp-admx-printing.md) +- [ApplicationDriverIsolation](policy-csp-admx-printing.md) +- [PackagePointAndPrintOnly_Win7](policy-csp-admx-printing.md) +- [PrintDriverIsolationOverrideCompat](policy-csp-admx-printing.md) +- [PackagePointAndPrintServerList_Win7](policy-csp-admx-printing.md) +- [PhysicalLocationSupport](policy-csp-admx-printing.md) +- [PrinterServerThread](policy-csp-admx-printing.md) + +## ADMX_Printing2 + +- [RegisterSpoolerRemoteRpcEndPoint](policy-csp-admx-printing2.md) +- [ImmortalPrintQueue](policy-csp-admx-printing2.md) +- [AutoPublishing](policy-csp-admx-printing2.md) +- [VerifyPublishedState](policy-csp-admx-printing2.md) +- [PruningInterval](policy-csp-admx-printing2.md) +- [PruningPriority](policy-csp-admx-printing2.md) +- [PruningRetries](policy-csp-admx-printing2.md) +- [PruningRetryLog](policy-csp-admx-printing2.md) +- [PruneDownlevel](policy-csp-admx-printing2.md) + +## ADMX_Programs + +- [NoGetPrograms](policy-csp-admx-programs.md) +- [NoInstalledUpdates](policy-csp-admx-programs.md) +- [NoProgramsAndFeatures](policy-csp-admx-programs.md) +- [NoDefaultPrograms](policy-csp-admx-programs.md) +- [NoWindowsFeatures](policy-csp-admx-programs.md) +- [NoWindowsMarketplace](policy-csp-admx-programs.md) +- [NoProgramsCPL](policy-csp-admx-programs.md) + +## ADMX_PushToInstall + +- [DisablePushToInstall](policy-csp-admx-pushtoinstall.md) + +## ADMX_QOS + +- [QosServiceTypeBestEffort_C](policy-csp-admx-qos.md) +- [QosServiceTypeControlledLoad_C](policy-csp-admx-qos.md) +- [QosServiceTypeGuaranteed_C](policy-csp-admx-qos.md) +- [QosServiceTypeNetworkControl_C](policy-csp-admx-qos.md) +- [QosServiceTypeQualitative_C](policy-csp-admx-qos.md) +- [QosServiceTypeBestEffort_NC](policy-csp-admx-qos.md) +- [QosServiceTypeControlledLoad_NC](policy-csp-admx-qos.md) +- [QosServiceTypeGuaranteed_NC](policy-csp-admx-qos.md) +- [QosServiceTypeNetworkControl_NC](policy-csp-admx-qos.md) +- [QosServiceTypeQualitative_NC](policy-csp-admx-qos.md) +- [QosServiceTypeBestEffort_PV](policy-csp-admx-qos.md) +- [QosServiceTypeControlledLoad_PV](policy-csp-admx-qos.md) +- [QosServiceTypeGuaranteed_PV](policy-csp-admx-qos.md) +- [QosServiceTypeNetworkControl_PV](policy-csp-admx-qos.md) +- [QosServiceTypeNonConforming](policy-csp-admx-qos.md) +- [QosServiceTypeQualitative_PV](policy-csp-admx-qos.md) +- [QosMaxOutstandingSends](policy-csp-admx-qos.md) +- [QosNonBestEffortLimit](policy-csp-admx-qos.md) +- [QosTimerResolution](policy-csp-admx-qos.md) + +## ADMX_Radar + +- [WdiScenarioExecutionPolicy](policy-csp-admx-radar.md) + +## ADMX_Reliability + +- [ShutdownEventTrackerStateFile](policy-csp-admx-reliability.md) +- [ShutdownReason](policy-csp-admx-reliability.md) +- [EE_EnablePersistentTimeStamp](policy-csp-admx-reliability.md) +- [PCH_ReportShutdownEvents](policy-csp-admx-reliability.md) + +## ADMX_RemoteAssistance + +- [RA_EncryptedTicketOnly](policy-csp-admx-remoteassistance.md) +- [RA_Optimize_Bandwidth](policy-csp-admx-remoteassistance.md) + +## ADMX_RemovableStorage + +- [RemovableStorageClasses_DenyAll_Access_1](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [AccessRights_RebootTime_1](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [RemovableStorageClasses_DenyAll_Access_2](policy-csp-admx-removablestorage.md) +- [Removable_Remote_Allow_Access](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [AccessRights_RebootTime_2](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) + +## ADMX_RPC + +- [RpcIgnoreDelegationFailure](policy-csp-admx-rpc.md) +- [RpcStateInformation](policy-csp-admx-rpc.md) +- [RpcExtendedErrorInformation](policy-csp-admx-rpc.md) +- [RpcMinimumHttpConnectionTimeout](policy-csp-admx-rpc.md) + +## ADMX_sam + +- [SamNGCKeyROCAValidation](policy-csp-admx-sam.md) + +## ADMX_Scripts + +- [Run_Logoff_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Logon_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Legacy_Logon_Script_Hidden](policy-csp-admx-scripts.md) +- [Run_Logon_Script_Sync_1](policy-csp-admx-scripts.md) +- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md) +- [Allow_Logon_Script_NetbiosDisabled](policy-csp-admx-scripts.md) +- [Run_Shutdown_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Startup_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md) +- [Run_Startup_Script_Sync](policy-csp-admx-scripts.md) +- [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md) +- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md) +- [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md) + +## ADMX_sdiageng + +- [ScriptedDiagnosticsSecurityPolicy](policy-csp-admx-sdiageng.md) +- [ScriptedDiagnosticsExecutionPolicy](policy-csp-admx-sdiageng.md) +- [BetterWhenConnected](policy-csp-admx-sdiageng.md) + +## ADMX_sdiagschd + +- [ScheduledDiagnosticsExecutionPolicy](policy-csp-admx-sdiagschd.md) + +## ADMX_Securitycenter + +- [SecurityCenter_SecurityCenterInDomain](policy-csp-admx-securitycenter.md) + +## ADMX_Sensors + +- [DisableLocation_1](policy-csp-admx-sensors.md) +- [DisableLocationScripting_1](policy-csp-admx-sensors.md) +- [DisableSensors_1](policy-csp-admx-sensors.md) +- [DisableLocationScripting_2](policy-csp-admx-sensors.md) +- [DisableSensors_2](policy-csp-admx-sensors.md) + +## ADMX_ServerManager + +- [Do_not_display_Manage_Your_Server_page](policy-csp-admx-servermanager.md) +- [ServerManagerAutoRefreshRate](policy-csp-admx-servermanager.md) +- [DoNotLaunchInitialConfigurationTasks](policy-csp-admx-servermanager.md) +- [DoNotLaunchServerManager](policy-csp-admx-servermanager.md) + +## ADMX_Servicing + +- [Servicing](policy-csp-admx-servicing.md) + +## ADMX_SettingSync + +- [DisableSettingSync](policy-csp-admx-settingsync.md) +- [DisableApplicationSettingSync](policy-csp-admx-settingsync.md) +- [DisableAppSyncSettingSync](policy-csp-admx-settingsync.md) +- [DisableDesktopThemeSettingSync](policy-csp-admx-settingsync.md) +- [DisableSyncOnPaidNetwork](policy-csp-admx-settingsync.md) +- [DisableWindowsSettingSync](policy-csp-admx-settingsync.md) +- [DisableCredentialsSettingSync](policy-csp-admx-settingsync.md) +- [DisablePersonalizationSettingSync](policy-csp-admx-settingsync.md) +- [DisableStartLayoutSettingSync](policy-csp-admx-settingsync.md) + +## ADMX_SharedFolders + +- [PublishDfsRoots](policy-csp-admx-sharedfolders.md) +- [PublishSharedFolders](policy-csp-admx-sharedfolders.md) + +## ADMX_Sharing + +- [NoInplaceSharing](policy-csp-admx-sharing.md) +- [DisableHomeGroup](policy-csp-admx-sharing.md) + +## ADMX_ShellCommandPromptRegEditTools + +- [DisallowApps](policy-csp-admx-shellcommandpromptregedittools.md) +- [DisableRegedit](policy-csp-admx-shellcommandpromptregedittools.md) +- [DisableCMD](policy-csp-admx-shellcommandpromptregedittools.md) +- [RestrictApps](policy-csp-admx-shellcommandpromptregedittools.md) + +## ADMX_Smartcard + +- [AllowCertificatesWithNoEKU](policy-csp-admx-smartcard.md) +- [EnumerateECCCerts](policy-csp-admx-smartcard.md) +- [AllowIntegratedUnblock](policy-csp-admx-smartcard.md) +- [AllowSignatureOnlyKeys](policy-csp-admx-smartcard.md) +- [AllowTimeInvalidCertificates](policy-csp-admx-smartcard.md) +- [X509HintsNeeded](policy-csp-admx-smartcard.md) +- [CertPropRootCleanupString](policy-csp-admx-smartcard.md) +- [IntegratedUnblockPromptString](policy-csp-admx-smartcard.md) +- [FilterDuplicateCerts](policy-csp-admx-smartcard.md) +- [ForceReadingAllCertificates](policy-csp-admx-smartcard.md) +- [SCPnPNotification](policy-csp-admx-smartcard.md) +- [DisallowPlaintextPin](policy-csp-admx-smartcard.md) +- [ReverseSubject](policy-csp-admx-smartcard.md) +- [CertPropEnabledString](policy-csp-admx-smartcard.md) +- [CertPropRootEnabledString](policy-csp-admx-smartcard.md) +- [SCPnPEnabled](policy-csp-admx-smartcard.md) + +## ADMX_Snmp + +- [SNMP_Communities](policy-csp-admx-snmp.md) +- [SNMP_PermittedManagers](policy-csp-admx-snmp.md) +- [SNMP_Traps_Public](policy-csp-admx-snmp.md) + +## ADMX_SoundRec + +- [Soundrec_DiableApplication_TitleText_1](policy-csp-admx-soundrec.md) +- [Soundrec_DiableApplication_TitleText_2](policy-csp-admx-soundrec.md) + +## ADMX_srmfci + +- [AccessDeniedConfiguration](policy-csp-admx-srmfci.md) +- [EnableShellAccessCheck](policy-csp-admx-srmfci.md) +- [EnableManualUX](policy-csp-admx-srmfci.md) +- [CentralClassificationList](policy-csp-admx-srmfci.md) + +## ADMX_StartMenu + +- [MemCheckBoxInRunDlg](policy-csp-admx-startmenu.md) +- [ForceStartMenuLogOff](policy-csp-admx-startmenu.md) +- [AddSearchInternetLinkInStartMenu](policy-csp-admx-startmenu.md) +- [ShowRunInStartMenu](policy-csp-admx-startmenu.md) +- [PowerButtonAction](policy-csp-admx-startmenu.md) +- [ClearRecentDocsOnExit](policy-csp-admx-startmenu.md) +- [ClearRecentProgForNewUserInStartMenu](policy-csp-admx-startmenu.md) +- [ClearTilesOnExit](policy-csp-admx-startmenu.md) +- [NoToolbarsOnTaskbar](policy-csp-admx-startmenu.md) +- [NoSearchCommInStartMenu](policy-csp-admx-startmenu.md) +- [NoSearchFilesInStartMenu](policy-csp-admx-startmenu.md) +- [NoSearchInternetInStartMenu](policy-csp-admx-startmenu.md) +- [NoSearchProgramsInStartMenu](policy-csp-admx-startmenu.md) +- [NoResolveSearch](policy-csp-admx-startmenu.md) +- [NoResolveTrack](policy-csp-admx-startmenu.md) +- [NoStartPage](policy-csp-admx-startmenu.md) +- [GoToDesktopOnSignIn](policy-csp-admx-startmenu.md) +- [GreyMSIAds](policy-csp-admx-startmenu.md) +- [NoTrayItemsDisplay](policy-csp-admx-startmenu.md) +- [DesktopAppsFirstInAppsView](policy-csp-admx-startmenu.md) +- [LockTaskbar](policy-csp-admx-startmenu.md) +- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md) +- [NoSetTaskbar](policy-csp-admx-startmenu.md) +- [NoTaskGrouping](policy-csp-admx-startmenu.md) +- [NoChangeStartMenu](policy-csp-admx-startmenu.md) +- [NoUninstallFromStart](policy-csp-admx-startmenu.md) +- [NoTrayContextMenu](policy-csp-admx-startmenu.md) +- [NoMoreProgramsList](policy-csp-admx-startmenu.md) +- [NoClose](policy-csp-admx-startmenu.md) +- [NoBalloonTip](policy-csp-admx-startmenu.md) +- [NoTaskBarClock](policy-csp-admx-startmenu.md) +- [NoCommonGroups](policy-csp-admx-startmenu.md) +- [NoSMConfigurePrograms](policy-csp-admx-startmenu.md) +- [NoSMMyDocuments](policy-csp-admx-startmenu.md) +- [NoStartMenuDownload](policy-csp-admx-startmenu.md) +- [NoFavoritesMenu](policy-csp-admx-startmenu.md) +- [NoGamesFolderOnStartMenu](policy-csp-admx-startmenu.md) +- [NoHelp](policy-csp-admx-startmenu.md) +- [NoStartMenuHomegroup](policy-csp-admx-startmenu.md) +- [NoWindowsUpdate](policy-csp-admx-startmenu.md) +- [StartMenuLogOff](policy-csp-admx-startmenu.md) +- [NoSMMyMusic](policy-csp-admx-startmenu.md) +- [NoNetAndDialupConnect](policy-csp-admx-startmenu.md) +- [NoSMMyNetworkPlaces](policy-csp-admx-startmenu.md) +- [NoSMMyPictures](policy-csp-admx-startmenu.md) +- [NoPinnedPrograms](policy-csp-admx-startmenu.md) +- [NoSetFolders](policy-csp-admx-startmenu.md) +- [NoRecentDocsMenu](policy-csp-admx-startmenu.md) +- [NoStartMenuRecordedTV](policy-csp-admx-startmenu.md) +- [NoRun](policy-csp-admx-startmenu.md) +- [NoSearchComputerLinkInStartMenu](policy-csp-admx-startmenu.md) +- [NoFind](policy-csp-admx-startmenu.md) +- [NoSearchEverywhereLinkInStartMenu](policy-csp-admx-startmenu.md) +- [RemoveUnDockPCButton](policy-csp-admx-startmenu.md) +- [NoUserFolderOnStartMenu](policy-csp-admx-startmenu.md) +- [NoUserNameOnStartMenu](policy-csp-admx-startmenu.md) +- [NoStartMenuSubFolders](policy-csp-admx-startmenu.md) +- [NoStartMenuVideos](policy-csp-admx-startmenu.md) +- [DisableGlobalSearchOnAppsView](policy-csp-admx-startmenu.md) +- [ShowRunAsDifferentUserInStart](policy-csp-admx-startmenu.md) +- [QuickLaunchEnabled](policy-csp-admx-startmenu.md) +- [ShowStartOnDisplayWithForegroundOnWinKey](policy-csp-admx-startmenu.md) +- [ShowAppsViewOnStart](policy-csp-admx-startmenu.md) +- [NoAutoTrayNotify](policy-csp-admx-startmenu.md) +- [Intellimenus](policy-csp-admx-startmenu.md) +- [NoInstrumentation](policy-csp-admx-startmenu.md) +- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md) +- [NoSetTaskbar](policy-csp-admx-startmenu.md) +- [NoChangeStartMenu](policy-csp-admx-startmenu.md) +- [NoUninstallFromStart](policy-csp-admx-startmenu.md) +- [NoTrayContextMenu](policy-csp-admx-startmenu.md) +- [NoMoreProgramsList](policy-csp-admx-startmenu.md) +- [HidePowerOptions](policy-csp-admx-startmenu.md) +- [NoRun](policy-csp-admx-startmenu.md) + +## ADMX_SystemRestore + +- [SR_DisableConfig](policy-csp-admx-systemrestore.md) + +## ADMX_TabletPCInputPanel + +- [Prediction_1](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTarget_1](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTouchTarget_1](policy-csp-admx-tabletpcinputpanel.md) +- [RareChar_1](policy-csp-admx-tabletpcinputpanel.md) +- [EdgeTarget_1](policy-csp-admx-tabletpcinputpanel.md) +- [AutoComplete_1](policy-csp-admx-tabletpcinputpanel.md) +- [PasswordSecurity_1](policy-csp-admx-tabletpcinputpanel.md) +- [ScratchOut_1](policy-csp-admx-tabletpcinputpanel.md) +- [Prediction_2](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTarget_2](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTouchTarget_2](policy-csp-admx-tabletpcinputpanel.md) +- [RareChar_2](policy-csp-admx-tabletpcinputpanel.md) +- [EdgeTarget_2](policy-csp-admx-tabletpcinputpanel.md) +- [AutoComplete_2](policy-csp-admx-tabletpcinputpanel.md) +- [PasswordSecurity_2](policy-csp-admx-tabletpcinputpanel.md) +- [ScratchOut_2](policy-csp-admx-tabletpcinputpanel.md) + +## ADMX_TabletShell + +- [DisableInkball_1](policy-csp-admx-tabletshell.md) +- [DisableNoteWriterPrinting_1](policy-csp-admx-tabletshell.md) +- [DisableSnippingTool_1](policy-csp-admx-tabletshell.md) +- [DisableJournal_1](policy-csp-admx-tabletshell.md) +- [TurnOffFeedback_1](policy-csp-admx-tabletshell.md) +- [PreventBackEscMapping_1](policy-csp-admx-tabletshell.md) +- [PreventLaunchApp_1](policy-csp-admx-tabletshell.md) +- [PreventPressAndHold_1](policy-csp-admx-tabletshell.md) +- [TurnOffButtons_1](policy-csp-admx-tabletshell.md) +- [PreventFlicksLearningMode_1](policy-csp-admx-tabletshell.md) +- [PreventFlicks_1](policy-csp-admx-tabletshell.md) +- [DisableInkball_2](policy-csp-admx-tabletshell.md) +- [DisableNoteWriterPrinting_2](policy-csp-admx-tabletshell.md) +- [DisableSnippingTool_2](policy-csp-admx-tabletshell.md) +- [DisableJournal_2](policy-csp-admx-tabletshell.md) +- [TurnOffFeedback_2](policy-csp-admx-tabletshell.md) +- [PreventBackEscMapping_2](policy-csp-admx-tabletshell.md) +- [PreventLaunchApp_2](policy-csp-admx-tabletshell.md) +- [PreventPressAndHold_2](policy-csp-admx-tabletshell.md) +- [TurnOffButtons_2](policy-csp-admx-tabletshell.md) +- [PreventFlicksLearningMode_2](policy-csp-admx-tabletshell.md) +- [PreventFlicks_2](policy-csp-admx-tabletshell.md) + +## ADMX_Taskbar + +- [EnableLegacyBalloonNotifications](policy-csp-admx-taskbar.md) +- [NoPinningToDestinations](policy-csp-admx-taskbar.md) +- [NoPinningToTaskbar](policy-csp-admx-taskbar.md) +- [NoPinningStoreToTaskbar](policy-csp-admx-taskbar.md) +- [TaskbarNoMultimon](policy-csp-admx-taskbar.md) +- [NoRemoteDestinations](policy-csp-admx-taskbar.md) +- [TaskbarLockAll](policy-csp-admx-taskbar.md) +- [TaskbarNoAddRemoveToolbar](policy-csp-admx-taskbar.md) +- [TaskbarNoRedock](policy-csp-admx-taskbar.md) +- [TaskbarNoDragToolbar](policy-csp-admx-taskbar.md) +- [TaskbarNoResize](policy-csp-admx-taskbar.md) +- [DisableNotificationCenter](policy-csp-admx-taskbar.md) +- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md) +- [HideSCAPower](policy-csp-admx-taskbar.md) +- [HideSCANetwork](policy-csp-admx-taskbar.md) +- [HideSCAHealth](policy-csp-admx-taskbar.md) +- [HideSCAVolume](policy-csp-admx-taskbar.md) +- [ShowWindowsStoreAppsOnTaskbar](policy-csp-admx-taskbar.md) +- [TaskbarNoNotification](policy-csp-admx-taskbar.md) +- [NoSystraySystemPromotion](policy-csp-admx-taskbar.md) +- [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md) +- [TaskbarNoThumbnail](policy-csp-admx-taskbar.md) +- [DisableNotificationCenter](policy-csp-admx-taskbar.md) +- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md) + +## ADMX_tcpip + +- [6to4_Router_Name](policy-csp-admx-tcpip.md) +- [6to4_Router_Name_Resolution_Interval](policy-csp-admx-tcpip.md) +- [6to4_State](policy-csp-admx-tcpip.md) +- [IPHTTPS_ClientState](policy-csp-admx-tcpip.md) +- [ISATAP_Router_Name](policy-csp-admx-tcpip.md) +- [ISATAP_State](policy-csp-admx-tcpip.md) +- [Teredo_Client_Port](policy-csp-admx-tcpip.md) +- [Teredo_Default_Qualified](policy-csp-admx-tcpip.md) +- [Teredo_Refresh_Rate](policy-csp-admx-tcpip.md) +- [Teredo_Server_Name](policy-csp-admx-tcpip.md) +- [Teredo_State](policy-csp-admx-tcpip.md) +- [IP_Stateless_Autoconfiguration_Limits_State](policy-csp-admx-tcpip.md) +- [Windows_Scaling_Heuristics_State](policy-csp-admx-tcpip.md) + +## ADMX_TerminalServer + +- [TS_GATEWAY_POLICY_ENABLE](policy-csp-admx-terminalserver.md) +- [TS_GATEWAY_POLICY_AUTH_METHOD](policy-csp-admx-terminalserver.md) +- [TS_GATEWAY_POLICY_SERVER](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_UNSIGNED_FILES_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_SIGNED_FILES_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_DISABLE_PASSWORD_SAVING_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](policy-csp-admx-terminalserver.md) +- [TS_RemoteControl_1](policy-csp-admx-terminalserver.md) +- [TS_EASY_PRINT_User](policy-csp-admx-terminalserver.md) +- [TS_START_PROGRAM_1](policy-csp-admx-terminalserver.md) +- [TS_Session_End_On_Limit_1](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Idle_Limit_1](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Limits_1](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Disconnected_Timeout_1](policy-csp-admx-terminalserver.md) +- [TS_RADC_DefaultConnection](policy-csp-admx-terminalserver.md) +- [TS_LICENSE_SECGROUP](policy-csp-admx-terminalserver.md) +- [TS_PreventLicenseUpgrade](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_UNSIGNED_FILES_2](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_SIGNED_FILES_2](policy-csp-admx-terminalserver.md) +- [TS_SERVER_AUTH](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_DISABLE_HARDWARE_MODE](policy-csp-admx-terminalserver.md) +- [TS_PROMT_CREDS_CLIENT_COMP](policy-csp-admx-terminalserver.md) +- [TS_USB_REDIRECTION_DISABLE](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_TURN_OFF_UDP](policy-csp-admx-terminalserver.md) +- [TS_AUTO_RECONNECT](policy-csp-admx-terminalserver.md) +- [TS_KEEP_ALIVE](policy-csp-admx-terminalserver.md) +- [TS_FORCIBLE_LOGOFF](policy-csp-admx-terminalserver.md) +- [TS_MAX_CON_POLICY](policy-csp-admx-terminalserver.md) +- [TS_SINGLE_SESSION](policy-csp-admx-terminalserver.md) +- [TS_SELECT_NETWORK_DETECT](policy-csp-admx-terminalserver.md) +- [TS_SELECT_TRANSPORT](policy-csp-admx-terminalserver.md) +- [TS_RemoteControl_2](policy-csp-admx-terminalserver.md) +- [TS_RDSAppX_WaitForRegistration](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_AUDIO](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_AUDIO_CAPTURE](policy-csp-admx-terminalserver.md) +- [TS_TIME_ZONE](policy-csp-admx-terminalserver.md) +- [TS_UIA](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_CLIPBOARD](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_COM](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_LPT](policy-csp-admx-terminalserver.md) +- [TS_SMART_CARD](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_PNP](policy-csp-admx-terminalserver.md) +- [TS_CAMERA_REDIRECTION](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_AUDIO_QUALITY](policy-csp-admx-terminalserver.md) +- [TS_LICENSE_TOOLTIP](policy-csp-admx-terminalserver.md) +- [TS_LICENSING_MODE](policy-csp-admx-terminalserver.md) +- [TS_LICENSE_SERVERS](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_PRINTER](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_DEFAULT_M](policy-csp-admx-terminalserver.md) +- [TS_FALLBACKPRINTDRIVERTYPE](policy-csp-admx-terminalserver.md) +- [TS_EASY_PRINT](policy-csp-admx-terminalserver.md) +- [TS_DELETE_ROAMING_USER_PROFILES](policy-csp-admx-terminalserver.md) +- [TS_USER_PROFILES](policy-csp-admx-terminalserver.md) +- [TS_USER_HOME](policy-csp-admx-terminalserver.md) +- [TS_USER_MANDATORY_PROFILES](policy-csp-admx-terminalserver.md) +- [TS_SD_ClustName](policy-csp-admx-terminalserver.md) +- [TS_SD_Loc](policy-csp-admx-terminalserver.md) +- [TS_JOIN_SESSION_DIRECTORY](policy-csp-admx-terminalserver.md) +- [TS_SD_EXPOSE_ADDRESS](policy-csp-admx-terminalserver.md) +- [TS_TURNOFF_SINGLEAPP](policy-csp-admx-terminalserver.md) +- [TS_SERVER_COMPRESSOR](policy-csp-admx-terminalserver.md) +- [TS_SERVER_AVC_HW_ENCODE_PREFERRED](policy-csp-admx-terminalserver.md) +- [TS_SERVER_IMAGE_QUALITY](policy-csp-admx-terminalserver.md) +- [TS_SERVER_PROFILE](policy-csp-admx-terminalserver.md) +- [TS_SERVER_LEGACY_RFX](policy-csp-admx-terminalserver.md) +- [TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](policy-csp-admx-terminalserver.md) +- [TS_COLORDEPTH](policy-csp-admx-terminalserver.md) +- [TS_MAXDISPLAYRES](policy-csp-admx-terminalserver.md) +- [TS_MAXMONITOR](policy-csp-admx-terminalserver.md) +- [TS_SERVER_AVC444_MODE_PREFERRED](policy-csp-admx-terminalserver.md) +- [TS_EnableVirtualGraphics](policy-csp-admx-terminalserver.md) +- [TS_SERVER_VISEXP](policy-csp-admx-terminalserver.md) +- [TS_RemoteDesktopVirtualGraphics](policy-csp-admx-terminalserver.md) +- [TS_NoDisconnectMenu](policy-csp-admx-terminalserver.md) +- [TS_NoSecurityMenu](policy-csp-admx-terminalserver.md) +- [TS_START_PROGRAM_2](policy-csp-admx-terminalserver.md) +- [TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](policy-csp-admx-terminalserver.md) +- [TS_DX_USE_FULL_HWGPU](policy-csp-admx-terminalserver.md) +- [TS_SERVER_WDDM_GRAPHICS_DRIVER](policy-csp-admx-terminalserver.md) +- [TS_TSCC_PERMISSIONS_POLICY](policy-csp-admx-terminalserver.md) +- [TS_SECURITY_LAYER_POLICY](policy-csp-admx-terminalserver.md) +- [TS_USER_AUTHENTICATION_POLICY](policy-csp-admx-terminalserver.md) +- [TS_CERTIFICATE_TEMPLATE_POLICY](policy-csp-admx-terminalserver.md) +- [TS_Session_End_On_Limit_2](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Idle_Limit_2](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Limits_2](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Disconnected_Timeout_2](policy-csp-admx-terminalserver.md) +- [TS_TEMP_DELETE](policy-csp-admx-terminalserver.md) +- [TS_TEMP_PER_SESSION](policy-csp-admx-terminalserver.md) + +## ADMX_Thumbnails + +- [DisableThumbsDBOnNetworkFolders](policy-csp-admx-thumbnails.md) +- [DisableThumbnailsOnNetworkFolders](policy-csp-admx-thumbnails.md) +- [DisableThumbnails](policy-csp-admx-thumbnails.md) + +## ADMX_TouchInput + +- [TouchInputOff_1](policy-csp-admx-touchinput.md) +- [PanningEverywhereOff_1](policy-csp-admx-touchinput.md) +- [TouchInputOff_2](policy-csp-admx-touchinput.md) +- [PanningEverywhereOff_2](policy-csp-admx-touchinput.md) + +## ADMX_TPM + +- [OptIntoDSHA_Name](policy-csp-admx-tpm.md) +- [OSManagedAuth_Name](policy-csp-admx-tpm.md) +- [BlockedCommandsList_Name](policy-csp-admx-tpm.md) +- [ClearTPMIfNotReady_Name](policy-csp-admx-tpm.md) +- [UseLegacyDAP_Name](policy-csp-admx-tpm.md) +- [IgnoreDefaultList_Name](policy-csp-admx-tpm.md) +- [IgnoreLocalList_Name](policy-csp-admx-tpm.md) +- [StandardUserAuthorizationFailureIndividualThreshold_Name](policy-csp-admx-tpm.md) +- [StandardUserAuthorizationFailureDuration_Name](policy-csp-admx-tpm.md) +- [StandardUserAuthorizationFailureTotalThreshold_Name](policy-csp-admx-tpm.md) + +## ADMX_UserExperienceVirtualization + +- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Calculator](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md) +- [Notepad](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Wordpad](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md) +- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md) +- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md) +- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md) +- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md) +- [Finance](policy-csp-admx-userexperiencevirtualization.md) +- [Games](policy-csp-admx-userexperiencevirtualization.md) +- [Maps](policy-csp-admx-userexperiencevirtualization.md) +- [Music](policy-csp-admx-userexperiencevirtualization.md) +- [News](policy-csp-admx-userexperiencevirtualization.md) +- [Reader](policy-csp-admx-userexperiencevirtualization.md) +- [Sports](policy-csp-admx-userexperiencevirtualization.md) +- [Travel](policy-csp-admx-userexperiencevirtualization.md) +- [Video](policy-csp-admx-userexperiencevirtualization.md) +- [Weather](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Calculator](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md) +- [Notepad](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Wordpad](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md) +- [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md) +- [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md) +- [EnableUEV](policy-csp-admx-userexperiencevirtualization.md) +- [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md) +- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md) +- [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md) +- [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md) +- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md) +- [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md) +- [Finance](policy-csp-admx-userexperiencevirtualization.md) +- [Games](policy-csp-admx-userexperiencevirtualization.md) +- [Maps](policy-csp-admx-userexperiencevirtualization.md) +- [Music](policy-csp-admx-userexperiencevirtualization.md) +- [News](policy-csp-admx-userexperiencevirtualization.md) +- [Reader](policy-csp-admx-userexperiencevirtualization.md) +- [Sports](policy-csp-admx-userexperiencevirtualization.md) +- [Travel](policy-csp-admx-userexperiencevirtualization.md) +- [Video](policy-csp-admx-userexperiencevirtualization.md) +- [Weather](policy-csp-admx-userexperiencevirtualization.md) + +## ADMX_UserProfiles + +- [LimitSize](policy-csp-admx-userprofiles.md) +- [SlowLinkTimeOut](policy-csp-admx-userprofiles.md) +- [CleanupProfiles](policy-csp-admx-userprofiles.md) +- [DontForceUnloadHive](policy-csp-admx-userprofiles.md) +- [ProfileErrorAction](policy-csp-admx-userprofiles.md) +- [LeaveAppMgmtData](policy-csp-admx-userprofiles.md) +- [USER_HOME](policy-csp-admx-userprofiles.md) +- [UserInfoAccessAction](policy-csp-admx-userprofiles.md) + +## ADMX_W32Time + +- [W32TIME_POLICY_CONFIG](policy-csp-admx-w32time.md) +- [W32TIME_POLICY_CONFIGURE_NTPCLIENT](policy-csp-admx-w32time.md) +- [W32TIME_POLICY_ENABLE_NTPCLIENT](policy-csp-admx-w32time.md) +- [W32TIME_POLICY_ENABLE_NTPSERVER](policy-csp-admx-w32time.md) + +## ADMX_WCM + +- [WCM_DisablePowerManagement](policy-csp-admx-wcm.md) +- [WCM_EnableSoftDisconnect](policy-csp-admx-wcm.md) +- [WCM_MinimizeConnections](policy-csp-admx-wcm.md) + +## ADMX_WDI + +- [WdiDpsScenarioExecutionPolicy](policy-csp-admx-wdi.md) +- [WdiDpsScenarioDataSizeLimitPolicy](policy-csp-admx-wdi.md) + +## ADMX_WinCal + +- [TurnOffWinCal_1](policy-csp-admx-wincal.md) +- [TurnOffWinCal_2](policy-csp-admx-wincal.md) + +## ADMX_WindowsColorSystem + +- [ProhibitChangingInstalledProfileList_1](policy-csp-admx-windowscolorsystem.md) +- [ProhibitChangingInstalledProfileList_2](policy-csp-admx-windowscolorsystem.md) + +## ADMX_WindowsConnectNow + +- [WCN_DisableWcnUi_1](policy-csp-admx-windowsconnectnow.md) +- [WCN_EnableRegistrar](policy-csp-admx-windowsconnectnow.md) +- [WCN_DisableWcnUi_2](policy-csp-admx-windowsconnectnow.md) + +## ADMX_WindowsExplorer + +- [EnforceShellExtensionSecurity](policy-csp-admx-windowsexplorer.md) +- [NoBackButton](policy-csp-admx-windowsexplorer.md) +- [NoPlacesBar](policy-csp-admx-windowsexplorer.md) +- [NoFileMRU](policy-csp-admx-windowsexplorer.md) +- [PlacesBar](policy-csp-admx-windowsexplorer.md) +- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md) +- [DisableKnownFolders](policy-csp-admx-windowsexplorer.md) +- [ConfirmFileDelete](policy-csp-admx-windowsexplorer.md) +- [NoFolderOptions](policy-csp-admx-windowsexplorer.md) +- [NoRecycleFiles](policy-csp-admx-windowsexplorer.md) +- [NoRunAsInstallPrompt](policy-csp-admx-windowsexplorer.md) +- [LinkResolveIgnoreLinkInfo](policy-csp-admx-windowsexplorer.md) +- [NoDrives](policy-csp-admx-windowsexplorer.md) +- [NoManageMyComputerVerb](policy-csp-admx-windowsexplorer.md) +- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md) +- [RecycleBinSize](policy-csp-admx-windowsexplorer.md) +- [MaxRecentDocs](policy-csp-admx-windowsexplorer.md) +- [NoWorkgroupContents](policy-csp-admx-windowsexplorer.md) +- [NoEntireNetwork](policy-csp-admx-windowsexplorer.md) +- [TryHarderPinnedOpenSearch](policy-csp-admx-windowsexplorer.md) +- [TryHarderPinnedLibrary](policy-csp-admx-windowsexplorer.md) +- [NoViewOnDrive](policy-csp-admx-windowsexplorer.md) +- [NoNetConnectDisconnect](policy-csp-admx-windowsexplorer.md) +- [NoCDBurning](policy-csp-admx-windowsexplorer.md) +- [NoDFSTab](policy-csp-admx-windowsexplorer.md) +- [NoViewContextMenu](policy-csp-admx-windowsexplorer.md) +- [NoFileMenu](policy-csp-admx-windowsexplorer.md) +- [NoHardwareTab](policy-csp-admx-windowsexplorer.md) +- [NoShellSearchButton](policy-csp-admx-windowsexplorer.md) +- [NoSecurityTab](policy-csp-admx-windowsexplorer.md) +- [NoMyComputerSharedDocuments](policy-csp-admx-windowsexplorer.md) +- [NoSearchInternetTryHarderButton](policy-csp-admx-windowsexplorer.md) +- [NoChangeKeyboardNavigationIndicators](policy-csp-admx-windowsexplorer.md) +- [NoChangeAnimation](policy-csp-admx-windowsexplorer.md) +- [PromptRunasInstallNetPath](policy-csp-admx-windowsexplorer.md) +- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md) +- [NoCacheThumbNailPictures](policy-csp-admx-windowsexplorer.md) +- [DisableSearchBoxSuggestions](policy-csp-admx-windowsexplorer.md) +- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md) +- [ShellProtocolProtectedModeTitle_1](policy-csp-admx-windowsexplorer.md) +- [HideContentViewModeSnippets](policy-csp-admx-windowsexplorer.md) +- [NoWindowsHotKeys](policy-csp-admx-windowsexplorer.md) +- [DisableIndexedLibraryExperience](policy-csp-admx-windowsexplorer.md) +- [ClassicShell](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) +- [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md) +- [EnableSmartScreen](policy-csp-admx-windowsexplorer.md) +- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md) +- [NoNewAppAlert](policy-csp-admx-windowsexplorer.md) +- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md) +- [ShowHibernateOption](policy-csp-admx-windowsexplorer.md) +- [ShowSleepOption](policy-csp-admx-windowsexplorer.md) +- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md) +- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md) +- [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md) +- [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) + +## ADMX_WindowsMediaDRM + +- [DisableOnline](policy-csp-admx-windowsmediadrm.md) + +## ADMX_WindowsMediaPlayer + +- [ConfigureHTTPProxySettings](policy-csp-admx-windowsmediaplayer.md) +- [ConfigureMMSProxySettings](policy-csp-admx-windowsmediaplayer.md) +- [NetworkBuffering](policy-csp-admx-windowsmediaplayer.md) +- [ConfigureRTSPProxySettings](policy-csp-admx-windowsmediaplayer.md) +- [DisableNetworkSettings](policy-csp-admx-windowsmediaplayer.md) +- [WindowsStreamingMediaProtocols](policy-csp-admx-windowsmediaplayer.md) +- [EnableScreenSaver](policy-csp-admx-windowsmediaplayer.md) +- [PolicyCodecUpdate](policy-csp-admx-windowsmediaplayer.md) +- [PreventCDDVDMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md) +- [PreventMusicFileMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md) +- [PreventRadioPresetsRetrieval](policy-csp-admx-windowsmediaplayer.md) +- [DoNotShowAnchor](policy-csp-admx-windowsmediaplayer.md) +- [HidePrivacyTab](policy-csp-admx-windowsmediaplayer.md) +- [HideSecurityTab](policy-csp-admx-windowsmediaplayer.md) +- [SkinLockDown](policy-csp-admx-windowsmediaplayer.md) +- [DisableSetupFirstUseConfiguration](policy-csp-admx-windowsmediaplayer.md) +- [DisableAutoUpdate](policy-csp-admx-windowsmediaplayer.md) +- [PreventWMPDeskTopShortcut](policy-csp-admx-windowsmediaplayer.md) +- [PreventLibrarySharing](policy-csp-admx-windowsmediaplayer.md) +- [PreventQuickLaunchShortcut](policy-csp-admx-windowsmediaplayer.md) +- [DontUseFrameInterpolation](policy-csp-admx-windowsmediaplayer.md) + +## ADMX_WindowsRemoteManagement + +- [DisallowKerberos_2](policy-csp-admx-windowsremotemanagement.md) +- [DisallowKerberos_1](policy-csp-admx-windowsremotemanagement.md) + +## ADMX_WindowsStore + +- [DisableOSUpgrade_1](policy-csp-admx-windowsstore.md) +- [RemoveWindowsStore_1](policy-csp-admx-windowsstore.md) +- [DisableAutoDownloadWin8](policy-csp-admx-windowsstore.md) +- [DisableOSUpgrade_2](policy-csp-admx-windowsstore.md) +- [RemoveWindowsStore_2](policy-csp-admx-windowsstore.md) + +## ADMX_WinInit + +- [Hiberboot](policy-csp-admx-wininit.md) +- [ShutdownTimeoutHungSessionsDescription](policy-csp-admx-wininit.md) +- [DisableNamedPipeShutdownPolicyDescription](policy-csp-admx-wininit.md) + +## ADMX_WinLogon + +- [CustomShell](policy-csp-admx-winlogon.md) +- [LogonHoursNotificationPolicyDescription](policy-csp-admx-winlogon.md) +- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md) +- [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md) +- [SoftwareSASGeneration](policy-csp-admx-winlogon.md) +- [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md) +- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md) + +## ADMX_Winsrv + +- [AllowBlockingAppsAtShutdown](policy-csp-admx-winsrv.md) + +## ADMX_wlansvc + +- [SetPINPreferred](policy-csp-admx-wlansvc.md) +- [SetPINEnforced](policy-csp-admx-wlansvc.md) +- [SetCost](policy-csp-admx-wlansvc.md) + +## ADMX_WordWheel + +- [CustomSearch](policy-csp-admx-wordwheel.md) + +## ADMX_WorkFoldersClient + +- [Pol_UserEnableTokenBroker](policy-csp-admx-workfoldersclient.md) +- [Pol_UserEnableWorkFolders](policy-csp-admx-workfoldersclient.md) +- [Pol_MachineEnableWorkFolders](policy-csp-admx-workfoldersclient.md) + +## ADMX_WPN + +- [QuietHoursDailyBeginMinute](policy-csp-admx-wpn.md) +- [QuietHoursDailyEndMinute](policy-csp-admx-wpn.md) +- [NoCallsDuringQuietHours](policy-csp-admx-wpn.md) +- [NoQuietHours](policy-csp-admx-wpn.md) +- [NoToastNotification](policy-csp-admx-wpn.md) +- [NoLockScreenToastNotification](policy-csp-admx-wpn.md) +- [NoToastNotification](policy-csp-admx-wpn.md) + +## AppRuntime + +- [AllowMicrosoftAccountsToBeOptional](policy-csp-appruntime.md) + +## AppVirtualization + +- [AllowAppVClient](policy-csp-appvirtualization.md) +- [ClientCoexistenceAllowMigrationmode](policy-csp-appvirtualization.md) +- [IntegrationAllowRootUser](policy-csp-appvirtualization.md) +- [IntegrationAllowRootGlobal](policy-csp-appvirtualization.md) +- [AllowRoamingFileExclusions](policy-csp-appvirtualization.md) +- [AllowRoamingRegistryExclusions](policy-csp-appvirtualization.md) +- [AllowPackageCleanup](policy-csp-appvirtualization.md) +- [AllowPublishingRefreshUX](policy-csp-appvirtualization.md) +- [PublishingAllowServer1](policy-csp-appvirtualization.md) +- [PublishingAllowServer2](policy-csp-appvirtualization.md) +- [PublishingAllowServer3](policy-csp-appvirtualization.md) +- [PublishingAllowServer4](policy-csp-appvirtualization.md) +- [PublishingAllowServer5](policy-csp-appvirtualization.md) +- [AllowReportingServer](policy-csp-appvirtualization.md) +- [AllowPackageScripts](policy-csp-appvirtualization.md) +- [StreamingAllowHighCostLaunch](policy-csp-appvirtualization.md) +- [StreamingAllowCertificateFilterForClient_SSL](policy-csp-appvirtualization.md) +- [StreamingSupportBranchCache](policy-csp-appvirtualization.md) +- [StreamingAllowLocationProvider](policy-csp-appvirtualization.md) +- [StreamingAllowPackageInstallationRoot](policy-csp-appvirtualization.md) +- [StreamingAllowPackageSourceRoot](policy-csp-appvirtualization.md) +- [StreamingAllowReestablishmentInterval](policy-csp-appvirtualization.md) +- [StreamingAllowReestablishmentRetries](policy-csp-appvirtualization.md) +- [StreamingSharedContentStoreMode](policy-csp-appvirtualization.md) +- [AllowStreamingAutoload](policy-csp-appvirtualization.md) +- [StreamingVerifyCertificateRevocationList](policy-csp-appvirtualization.md) +- [AllowDynamicVirtualization](policy-csp-appvirtualization.md) +- [VirtualComponentsAllowList](policy-csp-appvirtualization.md) + +## AttachmentManager + +- [DoNotPreserveZoneInformation](policy-csp-attachmentmanager.md) +- [HideZoneInfoMechanism](policy-csp-attachmentmanager.md) +- [NotifyAntivirusPrograms](policy-csp-attachmentmanager.md) + +## Autoplay + +- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md) +- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md) +- [TurnOffAutoPlay](policy-csp-autoplay.md) +- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md) +- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md) +- [TurnOffAutoPlay](policy-csp-autoplay.md) + +## Cellular + +- [ShowAppCellularAccessUI](policy-csp-cellular.md) + +## Connectivity + +- [HardenedUNCPaths](policy-csp-connectivity.md) +- [ProhibitInstallationAndConfigurationOfNetworkBridge](policy-csp-connectivity.md) +- [DisableDownloadingOfPrintDriversOverHTTP](policy-csp-connectivity.md) +- [DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](policy-csp-connectivity.md) +- [DiablePrintingOverHTTP](policy-csp-connectivity.md) + +## CredentialProviders + +- [BlockPicturePassword](policy-csp-credentialproviders.md) +- [AllowPINLogon](policy-csp-credentialproviders.md) + +## CredentialsDelegation + +- [RemoteHostAllowsDelegationOfNonExportableCredentials](policy-csp-credentialsdelegation.md) + +## CredentialsUI + +- [DisablePasswordReveal](policy-csp-credentialsui.md) +- [DisablePasswordReveal](policy-csp-credentialsui.md) +- [EnumerateAdministrators](policy-csp-credentialsui.md) + +## DataUsage + +- [SetCost3G](policy-csp-datausage.md) +- [SetCost4G](policy-csp-datausage.md) + +## DeliveryOptimization + +- [DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md) +- [DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md) + +## Desktop + +- [PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md) + +## DesktopAppInstaller + +- [EnableAppInstaller](policy-csp-desktopappinstaller.md) +- [EnableSettings](policy-csp-desktopappinstaller.md) +- [EnableExperimentalFeatures](policy-csp-desktopappinstaller.md) +- [EnableLocalManifestFiles](policy-csp-desktopappinstaller.md) +- [EnableHashOverride](policy-csp-desktopappinstaller.md) +- [EnableDefaultSource](policy-csp-desktopappinstaller.md) +- [EnableMicrosoftStoreSource](policy-csp-desktopappinstaller.md) +- [SourceAutoUpdateInterval](policy-csp-desktopappinstaller.md) +- [EnableAdditionalSources](policy-csp-desktopappinstaller.md) +- [EnableAllowedSources](policy-csp-desktopappinstaller.md) +- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md) + +## DeviceInstallation + +- [PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) +- [PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) +- [PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) +- [PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) +- [EnableInstallationPolicyLayering](policy-csp-deviceinstallation.md) +- [AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) +- [AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) +- [AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) +- [PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) + +## DeviceLock + +- [PreventLockScreenSlideShow](policy-csp-devicelock.md) +- [PreventEnablingLockScreenCamera](policy-csp-devicelock.md) + +## ErrorReporting + +- [DisableWindowsErrorReporting](policy-csp-errorreporting.md) +- [DisplayErrorNotification](policy-csp-errorreporting.md) +- [DoNotSendAdditionalData](policy-csp-errorreporting.md) +- [PreventCriticalErrorDisplay](policy-csp-errorreporting.md) +- [CustomizeConsentSettings](policy-csp-errorreporting.md) + +## EventLogService + +- [ControlEventLogBehavior](policy-csp-eventlogservice.md) +- [SpecifyMaximumFileSizeApplicationLog](policy-csp-eventlogservice.md) +- [SpecifyMaximumFileSizeSecurityLog](policy-csp-eventlogservice.md) +- [SpecifyMaximumFileSizeSystemLog](policy-csp-eventlogservice.md) + +## FileExplorer + +- [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md) +- [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md) + +## InternetExplorer + +- [AddSearchProvider](policy-csp-internetexplorer.md) +- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md) +- [DisableProxyChange](policy-csp-internetexplorer.md) +- [DisableSearchProviderChange](policy-csp-internetexplorer.md) +- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md) +- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md) +- [AllowSuggestedSites](policy-csp-internetexplorer.md) +- [DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md) +- [DisableCompatView](policy-csp-internetexplorer.md) +- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md) +- [DisableFirstRunWizard](policy-csp-internetexplorer.md) +- [DisableFlipAheadFeature](policy-csp-internetexplorer.md) +- [DisableGeolocation](policy-csp-internetexplorer.md) +- [DisableHomePageChange](policy-csp-internetexplorer.md) +- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md) +- [NewTabDefaultPage](policy-csp-internetexplorer.md) +- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md) +- [SearchProviderList](policy-csp-internetexplorer.md) +- [AllowActiveXFiltering](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md) +- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md) +- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md) +- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md) +- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md) +- [DisableInternetExplorerApp](policy-csp-internetexplorer.md) +- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md) +- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md) +- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md) +- [JScriptReplacement](policy-csp-internetexplorer.md) +- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md) +- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md) +- [DisableEncryptionSupport](policy-csp-internetexplorer.md) +- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md) +- [IncludeAllLocalSites](policy-csp-internetexplorer.md) +- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md) +- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md) +- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [AllowAddOnList](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md) +- [DisableEnclosureDownloading](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md) +- [AllowOneWordEntry](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md) +- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md) +- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md) +- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md) +- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md) +- [DisableConfiguringHistory](policy-csp-internetexplorer.md) +- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md) +- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [InternetZoneLogonOptions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md) +- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md) +- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md) +- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md) +- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md) +- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md) +- [DisableCrashDetection](policy-csp-internetexplorer.md) +- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md) +- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md) +- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md) +- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md) +- [AllowAutoComplete](policy-csp-internetexplorer.md) +- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [DisableHTMLApplication](policy-csp-internetexplorer.md) +- [AddSearchProvider](policy-csp-internetexplorer.md) +- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md) +- [DisableUpdateCheck](policy-csp-internetexplorer.md) +- [DisableProxyChange](policy-csp-internetexplorer.md) +- [DisableSearchProviderChange](policy-csp-internetexplorer.md) +- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md) +- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md) +- [AllowSuggestedSites](policy-csp-internetexplorer.md) +- [DisableCompatView](policy-csp-internetexplorer.md) +- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md) +- [DisableFirstRunWizard](policy-csp-internetexplorer.md) +- [DisableFlipAheadFeature](policy-csp-internetexplorer.md) +- [DisableGeolocation](policy-csp-internetexplorer.md) +- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md) +- [NewTabDefaultPage](policy-csp-internetexplorer.md) +- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md) +- [SearchProviderList](policy-csp-internetexplorer.md) +- [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md) +- [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md) +- [AllowActiveXFiltering](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md) +- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md) +- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md) +- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md) +- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md) +- [DisableInternetExplorerApp](policy-csp-internetexplorer.md) +- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md) +- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md) +- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md) +- [JScriptReplacement](policy-csp-internetexplorer.md) +- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md) +- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md) +- [DisableEncryptionSupport](policy-csp-internetexplorer.md) +- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md) +- [IncludeAllLocalSites](policy-csp-internetexplorer.md) +- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md) +- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md) +- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [AllowAddOnList](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md) +- [DisableEnclosureDownloading](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md) +- [AllowOneWordEntry](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md) +- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md) +- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [AllowFallbackToSSL3](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md) +- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md) +- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md) +- [DisableConfiguringHistory](policy-csp-internetexplorer.md) +- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md) +- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [InternetZoneLogonOptions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md) +- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md) +- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md) +- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md) +- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md) +- [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md) +- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md) +- [DisableCrashDetection](policy-csp-internetexplorer.md) +- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md) +- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md) +- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md) +- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md) +- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [DisableHTMLApplication](policy-csp-internetexplorer.md) + +## Kerberos + +- [RequireKerberosArmoring](policy-csp-kerberos.md) +- [KerberosClientSupportsClaimsCompoundArmor](policy-csp-kerberos.md) +- [RequireStrictKDCValidation](policy-csp-kerberos.md) +- [SetMaximumContextTokenSize](policy-csp-kerberos.md) +- [AllowForestSearchOrder](policy-csp-kerberos.md) + +## LocalSecurityAuthority + +- [AllowCustomSSPsAPs](policy-csp-lsa.md) + +## MixedReality + +- [ConfigureNtpClient](policy-csp-mixedreality.md) +- [NtpClientEnabled](policy-csp-mixedreality.md) + +## MSSecurityGuide + +- [ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](policy-csp-mssecurityguide.md) +- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md) +- [ConfigureSMBV1ClientDriver](policy-csp-mssecurityguide.md) +- [EnableStructuredExceptionHandlingOverwriteProtection](policy-csp-mssecurityguide.md) +- [WDigestAuthentication](policy-csp-mssecurityguide.md) +- [TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](policy-csp-mssecurityguide.md) + +## MSSLegacy + +- [IPv6SourceRoutingProtectionLevel](policy-csp-msslegacy.md) +- [IPSourceRoutingProtectionLevel](policy-csp-msslegacy.md) +- [AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](policy-csp-msslegacy.md) +- [AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](policy-csp-msslegacy.md) + +## Power + +- [AllowStandbyWhenSleepingPluggedIn](policy-csp-power.md) +- [RequirePasswordWhenComputerWakesOnBattery](policy-csp-power.md) +- [RequirePasswordWhenComputerWakesPluggedIn](policy-csp-power.md) +- [StandbyTimeoutPluggedIn](policy-csp-power.md) +- [StandbyTimeoutOnBattery](policy-csp-power.md) +- [HibernateTimeoutPluggedIn](policy-csp-power.md) +- [HibernateTimeoutOnBattery](policy-csp-power.md) +- [DisplayOffTimeoutPluggedIn](policy-csp-power.md) +- [DisplayOffTimeoutOnBattery](policy-csp-power.md) +- [AllowStandbyStatesWhenSleepingOnBattery](policy-csp-power.md) + +## Printers + +- [PointAndPrintRestrictions_User](policy-csp-printers.md) +- [EnableDeviceControlUser](policy-csp-printers.md) +- [ApprovedUsbPrintDevicesUser](policy-csp-printers.md) +- [PointAndPrintRestrictions](policy-csp-printers.md) +- [PublishPrinters](policy-csp-printers.md) +- [EnableDeviceControl](policy-csp-printers.md) +- [ApprovedUsbPrintDevices](policy-csp-printers.md) +- [RestrictDriverInstallationToAdministrators](policy-csp-printers.md) +- [ConfigureCopyFilesPolicy](policy-csp-printers.md) +- [ConfigureDriverValidationLevel](policy-csp-printers.md) +- [ManageDriverExclusionList](policy-csp-printers.md) +- [ConfigureRpcListenerPolicy](policy-csp-printers.md) +- [ConfigureRpcConnectionPolicy](policy-csp-printers.md) +- [ConfigureRpcTcpPort](policy-csp-printers.md) +- [ConfigureIppPageCountsPolicy](policy-csp-printers.md) +- [ConfigureRedirectionGuardPolicy](policy-csp-printers.md) + +## RemoteAssistance + +- [UnsolicitedRemoteAssistance](policy-csp-remoteassistance.md) +- [SolicitedRemoteAssistance](policy-csp-remoteassistance.md) +- [CustomizeWarningMessages](policy-csp-remoteassistance.md) +- [SessionLogging](policy-csp-remoteassistance.md) + +## RemoteDesktopServices + +- [DoNotAllowPasswordSaving](policy-csp-remotedesktopservices.md) +- [AllowUsersToConnectRemotely](policy-csp-remotedesktopservices.md) +- [DoNotAllowDriveRedirection](policy-csp-remotedesktopservices.md) +- [PromptForPasswordUponConnection](policy-csp-remotedesktopservices.md) +- [RequireSecureRPCCommunication](policy-csp-remotedesktopservices.md) +- [ClientConnectionEncryptionLevel](policy-csp-remotedesktopservices.md) +- [DoNotAllowWebAuthnRedirection](policy-csp-remotedesktopservices.md) + +## RemoteManagement + +- [AllowBasicAuthentication_Client](policy-csp-remotemanagement.md) +- [AllowBasicAuthentication_Service](policy-csp-remotemanagement.md) +- [AllowUnencryptedTraffic_Client](policy-csp-remotemanagement.md) +- [AllowUnencryptedTraffic_Service](policy-csp-remotemanagement.md) +- [DisallowDigestAuthentication](policy-csp-remotemanagement.md) +- [DisallowStoringOfRunAsCredentials](policy-csp-remotemanagement.md) +- [AllowCredSSPAuthenticationClient](policy-csp-remotemanagement.md) +- [AllowCredSSPAuthenticationService](policy-csp-remotemanagement.md) +- [DisallowNegotiateAuthenticationClient](policy-csp-remotemanagement.md) +- [DisallowNegotiateAuthenticationService](policy-csp-remotemanagement.md) +- [TrustedHosts](policy-csp-remotemanagement.md) +- [AllowRemoteServerManagement](policy-csp-remotemanagement.md) +- [SpecifyChannelBindingTokenHardeningLevel](policy-csp-remotemanagement.md) +- [TurnOnCompatibilityHTTPListener](policy-csp-remotemanagement.md) +- [TurnOnCompatibilityHTTPSListener](policy-csp-remotemanagement.md) + +## RemoteProcedureCall + +- [RPCEndpointMapperClientAuthentication](policy-csp-remoteprocedurecall.md) +- [RestrictUnauthenticatedRPCClients](policy-csp-remoteprocedurecall.md) + +## RemoteShell + +- [AllowRemoteShellAccess](policy-csp-remoteshell.md) +- [SpecifyIdleTimeout](policy-csp-remoteshell.md) +- [MaxConcurrentUsers](policy-csp-remoteshell.md) +- [SpecifyMaxMemory](policy-csp-remoteshell.md) +- [SpecifyMaxProcesses](policy-csp-remoteshell.md) +- [SpecifyMaxRemoteShells](policy-csp-remoteshell.md) +- [SpecifyShellTimeout](policy-csp-remoteshell.md) + +## ServiceControlManager + +- [SvchostProcessMitigation](policy-csp-servicecontrolmanager.md) + +## SettingsSync + +- [DisableAccessibilitySettingSync](policy-csp-settingssync.md) + +## Storage + +- [WPDDevicesDenyReadAccessPerUser](policy-csp-storage.md) +- [WPDDevicesDenyWriteAccessPerUser](policy-csp-storage.md) +- [EnhancedStorageDevices](policy-csp-storage.md) +- [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md) +- [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md) + +## System + +- [BootStartDriverInitialization](policy-csp-system.md) +- [DisableSystemRestore](policy-csp-system.md) + +## TenantRestrictions + +- [ConfigureTenantRestrictions](policy-csp-tenantrestrictions.md) + +## WindowsConnectionManager + +- [ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](policy-csp-windowsconnectionmanager.md) + +## WindowsLogon + +- [DontDisplayNetworkSelectionUI](policy-csp-windowslogon.md) +- [DisableLockScreenAppNotifications](policy-csp-windowslogon.md) +- [EnumerateLocalUsersOnDomainJoinedComputers](policy-csp-windowslogon.md) +- [AllowAutomaticRestartSignOn](policy-csp-windowslogon.md) +- [ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md) +- [EnableMPRNotifications](policy-csp-windowslogon.md) + +## WindowsPowerShell + +- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md) +- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md) + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index a3a69669c7..df5363e3dd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -1,903 +1,937 @@ --- title: Policies in Policy CSP supported by Group Policy description: Learn about the policies in Policy CSP supported by Group Policy. -ms.reviewer: +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 07/18/2019 +ms.topic: reference --- -# Policies in Policy CSP supported by Group Policy + -- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock) -- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) -- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) -- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) -- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) -- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) -- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) -- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) -- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) -- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) -- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) -- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) -- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) -- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) -- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) -- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) -- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) -- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) -- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) -- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) -- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) -- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) -- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) -- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) -- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) -- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) -- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) -- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) -- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) -- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) -- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration) -- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers) -- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr) -- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata) -- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps) -- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall) -- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges) -- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly) -- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume) -- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume) -- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) -- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) -- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) -- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice) -- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) -- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) -- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) -- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime) -- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime) -- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate) -- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority) -- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority) -- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout) -- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown) -- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions) -- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash) -- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun) -- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode) -- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate) -- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch) -- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting) -- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory) -- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization) -- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions) -- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen) -- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading) -- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage) -- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary) -- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines) -- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar) -- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton) -- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode) -- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout) -- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith) -- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics) -- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages) -- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry) -- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist) -- [Browser/HomePages](./policy-csp-browser.md#browser-homepages) -- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites) -- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge) -- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides) -- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage) -- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc) -- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites) -- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer) -- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine) -- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl) -- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl) -- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer) -- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge) -- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton) -- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks) -- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera) -- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata) -- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps) -- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps) -- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps) -- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming) -- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking) -- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests) -- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) -- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) -- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) -- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) -- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) -- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection) -- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles) -- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess) -- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions) -- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules) -- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor) -- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan) -- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel) -- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout) -- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications) -- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders) -- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware) -- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan) -- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan) -- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess) -- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority) -- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection) -- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions) -- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths) -- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses) -- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection) -- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday) -- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime) -- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder) -- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources) -- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) -- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) -- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) -- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) -- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) -- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) -- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) -- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch) -- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) -- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) -- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses) -- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) -- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) -- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps) -- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi) -- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps) -- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps) -- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps) -- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy) -- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters) -- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) -- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) -- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) -- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) -- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) -- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) -- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) -- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) -- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory) -- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana) -- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice) -- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata) -- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight) -- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures) -- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight) -- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter) -- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings) -- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience) -- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) -- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) -- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) -- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting) -- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) -- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) -- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) -- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) -- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) -- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) -- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) -- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) -- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) -- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) -- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) -- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) -- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) -- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) -- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) -- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) -- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) -- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) -- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) -- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) -- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) -- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) -- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) -- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) -- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) -- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) -- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) -- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) -- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) -- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) -- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) -- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) -- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) -- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) -- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) -- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) -- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) -- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) -- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) -- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) -- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) -- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) -- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) -- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) -- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) -- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) -- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) -- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) -- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) -- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) -- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) -- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) -- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) -- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) -- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) -- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) -- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) -- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) -- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) -- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) -- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) -- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) -- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) -- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) -- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) -- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) -- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) -- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) -- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) -- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) -- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) -- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) -- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) -- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) -- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) -- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) -- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) -- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) -- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) -- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) -- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) -- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) -- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) -- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) -- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) -- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) -- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) -- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) -- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) -- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) -- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) -- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) -- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) -- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) -- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) -- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) -- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) -- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) -- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) -- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) -- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) -- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) -- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) -- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) -- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) -- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) -- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) -- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) -- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) -- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) -- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) -- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) -- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) -- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) -- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) -- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) -- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) -- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) -- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) -- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) -- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) -- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) -- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) -- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) -- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) -- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) -- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) -- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) -- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) -- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) -- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) -- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) -- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) -- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) -- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) -- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) -- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) -- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) -- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) -- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) -- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) -- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) -- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons) -- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation) -- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation) -- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts) -- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly) -- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount) -- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount) -- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon) -- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) -- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) -- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon) -- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees) -- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts) -- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares) -- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares) -- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam) -- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests) -- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange) -- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel) -- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers) -- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) -- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile) -- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators) -- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) -- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated) -- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations) -- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode) -- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode) -- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations) -- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe) -- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) -- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) -- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) -- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) -- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) -- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) -- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) -- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) -- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) -- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate) -- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync) -- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources) -- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange) -- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative) -- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers) -- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers) -- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative) -- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources) -- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification) -- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring) -- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification) -- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) -- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) -- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) -- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) -- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) -- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) -- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) -- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) -- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) -- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) -- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) -- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) -- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) -- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) -- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) -- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) -- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) -- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard) -- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid) -- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) -- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed) -- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo) -- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) -- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) -- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) -- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar) -- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps) -- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps) -- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps) -- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory) -- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps) -- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps) -- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps) -- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera) -- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) -- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) -- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) -- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts) -- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps) -- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps) -- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps) -- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail) -- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps) -- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps) -- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps) -- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation) -- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps) -- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps) -- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps) -- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging) -- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps) -- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps) -- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps) -- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone) -- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) -- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) -- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) -- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion) -- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps) -- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps) -- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps) -- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications) -- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps) -- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps) -- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps) -- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone) -- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps) -- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps) -- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps) -- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios) -- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps) -- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps) -- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps) -- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks) -- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps) -- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps) -- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps) -- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices) -- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps) -- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps) -- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps) -- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices) -- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps) -- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps) -- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps) -- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities) -- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities) -- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) -- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) -- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) -- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) -- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) -- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) -- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) -- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) -- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) -- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) -- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) -- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) -- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) -- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) -- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) -- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) -- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) -- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) -- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) -- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) -- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) -- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) -- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) -- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) -- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) -- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) -- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) -- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) -- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) -- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) -- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) -- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) -- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) -- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) -- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch) -- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles) -- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems) -- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation) -- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics) -- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection) -- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff) -- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing) -- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults) -- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) -- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) -- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) -- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) -- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) -- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) -- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) -- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol) -- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell) -- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell) -- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate) -- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus) -- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar) -- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps) -- [Start/StartLayout](./policy-csp-start.md#start-startlayout) -- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) -- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) -- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) -- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline) -- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata) -- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) -- [System/AllowLocation](./policy-csp-system.md#system-allowlocation) -- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) -- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) -- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint) -- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification) -- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux) -- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete) -- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer) -- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) -- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) -- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) -- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics) -- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy) -- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory) -- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode) -- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode) -- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode) -- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode) -- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode) -- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode) -- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) -- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection) -- [Troubleshooting/AllowRecommendations](./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations) -- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) -- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) -- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) -- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate) -- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork) -- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice) -- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice) -- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays) -- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates) -- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) -- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup) -- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) -- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates) -- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates) -- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod) -- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot) -- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays) -- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod) -- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod) -- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency) -- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan) -- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline) -- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates) -- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule) -- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates) -- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule) -- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates) -- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate) -- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls) -- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds) -- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals) -- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates) -- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime) -- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates) -- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime) -- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade) -- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning) -- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek) -- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek) -- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek) -- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek) -- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek) -- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime) -- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable) -- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess) -- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess) -- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart) -- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel) -- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate) -- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller) -- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork) -- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem) -- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon) -- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories) -- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime) -- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects) -- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile) -- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects) -- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks) -- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken) -- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms) -- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork) -- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon) -- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon) -- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation) -- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits) -- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient) -- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority) -- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers) -- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory) -- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog) -- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume) -- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment) -- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel) -- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess) -- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown) -- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories) -- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership) -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing) -- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname) -- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui) -- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui) -- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton) -- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui) -- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications) -- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui) -- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui) -- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui) -- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications) -- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning) -- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui) -- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride) -- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email) -- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts) -- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization) -- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery) -- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot) -- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting) -- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol) -- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone) -- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) -- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) -- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) -- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) -- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) -- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) -- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) -- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) -- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) -- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) -- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) +# Policies in Policy CSP supported by group policy -## Related topics +This article lists the policies in Policy CSP that have a group policy mapping. -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file +## AboveLock + +- [AllowCortanaAboveLock](policy-csp-abovelock.md) + +## Accounts + +- [RestrictToEnterpriseDeviceAuthenticationOnly](policy-csp-accounts.md) + +## ApplicationDefaults + +- [DefaultAssociationsConfiguration](policy-csp-applicationdefaults.md) +- [EnableAppUriHandlers](policy-csp-applicationdefaults.md) + +## ApplicationManagement + +- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md) +- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md) +- [AllowAllTrustedApps](policy-csp-applicationmanagement.md) +- [AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md) +- [AllowAutomaticAppArchiving](policy-csp-applicationmanagement.md) +- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md) +- [AllowGameDVR](policy-csp-applicationmanagement.md) +- [AllowSharedUserAppData](policy-csp-applicationmanagement.md) +- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md) +- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md) +- [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md) +- [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md) +- [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md) +- [DisableStoreOriginatedApps](policy-csp-applicationmanagement.md) +- [BlockNonAdminUserInstall](policy-csp-applicationmanagement.md) + +## Audit + +- [AccountLogon_AuditCredentialValidation](policy-csp-audit.md) +- [AccountLogon_AuditKerberosAuthenticationService](policy-csp-audit.md) +- [AccountLogon_AuditKerberosServiceTicketOperations](policy-csp-audit.md) +- [AccountLogon_AuditOtherAccountLogonEvents](policy-csp-audit.md) +- [AccountManagement_AuditApplicationGroupManagement](policy-csp-audit.md) +- [AccountManagement_AuditComputerAccountManagement](policy-csp-audit.md) +- [AccountManagement_AuditDistributionGroupManagement](policy-csp-audit.md) +- [AccountManagement_AuditOtherAccountManagementEvents](policy-csp-audit.md) +- [AccountManagement_AuditSecurityGroupManagement](policy-csp-audit.md) +- [AccountManagement_AuditUserAccountManagement](policy-csp-audit.md) +- [DetailedTracking_AuditDPAPIActivity](policy-csp-audit.md) +- [DetailedTracking_AuditPNPActivity](policy-csp-audit.md) +- [DetailedTracking_AuditProcessCreation](policy-csp-audit.md) +- [DetailedTracking_AuditProcessTermination](policy-csp-audit.md) +- [DetailedTracking_AuditRPCEvents](policy-csp-audit.md) +- [DetailedTracking_AuditTokenRightAdjusted](policy-csp-audit.md) +- [DSAccess_AuditDetailedDirectoryServiceReplication](policy-csp-audit.md) +- [DSAccess_AuditDirectoryServiceAccess](policy-csp-audit.md) +- [DSAccess_AuditDirectoryServiceChanges](policy-csp-audit.md) +- [DSAccess_AuditDirectoryServiceReplication](policy-csp-audit.md) +- [AccountLogonLogoff_AuditAccountLockout](policy-csp-audit.md) +- [AccountLogonLogoff_AuditUserDeviceClaims](policy-csp-audit.md) +- [AccountLogonLogoff_AuditGroupMembership](policy-csp-audit.md) +- [AccountLogonLogoff_AuditIPsecExtendedMode](policy-csp-audit.md) +- [AccountLogonLogoff_AuditIPsecMainMode](policy-csp-audit.md) +- [AccountLogonLogoff_AuditIPsecQuickMode](policy-csp-audit.md) +- [AccountLogonLogoff_AuditLogoff](policy-csp-audit.md) +- [AccountLogonLogoff_AuditLogon](policy-csp-audit.md) +- [AccountLogonLogoff_AuditNetworkPolicyServer](policy-csp-audit.md) +- [AccountLogonLogoff_AuditOtherLogonLogoffEvents](policy-csp-audit.md) +- [AccountLogonLogoff_AuditSpecialLogon](policy-csp-audit.md) +- [ObjectAccess_AuditApplicationGenerated](policy-csp-audit.md) +- [ObjectAccess_AuditCertificationServices](policy-csp-audit.md) +- [ObjectAccess_AuditDetailedFileShare](policy-csp-audit.md) +- [ObjectAccess_AuditFileShare](policy-csp-audit.md) +- [ObjectAccess_AuditFileSystem](policy-csp-audit.md) +- [ObjectAccess_AuditFilteringPlatformConnection](policy-csp-audit.md) +- [ObjectAccess_AuditFilteringPlatformPacketDrop](policy-csp-audit.md) +- [ObjectAccess_AuditHandleManipulation](policy-csp-audit.md) +- [ObjectAccess_AuditKernelObject](policy-csp-audit.md) +- [ObjectAccess_AuditOtherObjectAccessEvents](policy-csp-audit.md) +- [ObjectAccess_AuditRegistry](policy-csp-audit.md) +- [ObjectAccess_AuditRemovableStorage](policy-csp-audit.md) +- [ObjectAccess_AuditSAM](policy-csp-audit.md) +- [ObjectAccess_AuditCentralAccessPolicyStaging](policy-csp-audit.md) +- [PolicyChange_AuditPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditAuthenticationPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditAuthorizationPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditFilteringPlatformPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditMPSSVCRuleLevelPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditOtherPolicyChangeEvents](policy-csp-audit.md) +- [PrivilegeUse_AuditNonSensitivePrivilegeUse](policy-csp-audit.md) +- [PrivilegeUse_AuditOtherPrivilegeUseEvents](policy-csp-audit.md) +- [PrivilegeUse_AuditSensitivePrivilegeUse](policy-csp-audit.md) +- [System_AuditIPsecDriver](policy-csp-audit.md) +- [System_AuditOtherSystemEvents](policy-csp-audit.md) +- [System_AuditSecurityStateChange](policy-csp-audit.md) +- [System_AuditSecuritySystemExtension](policy-csp-audit.md) +- [System_AuditSystemIntegrity](policy-csp-audit.md) + +## Authentication + +- [AllowSecondaryAuthenticationDevice](policy-csp-authentication.md) + +## BITS + +- [JobInactivityTimeout](policy-csp-bits.md) +- [BandwidthThrottlingStartTime](policy-csp-bits.md) +- [BandwidthThrottlingEndTime](policy-csp-bits.md) +- [BandwidthThrottlingTransferRate](policy-csp-bits.md) +- [CostedNetworkBehaviorForegroundPriority](policy-csp-bits.md) +- [CostedNetworkBehaviorBackgroundPriority](policy-csp-bits.md) + +## Browser + +- [AllowAddressBarDropdown](policy-csp-browser.md) +- [AllowAutofill](policy-csp-browser.md) +- [AllowCookies](policy-csp-browser.md) +- [AllowDeveloperTools](policy-csp-browser.md) +- [AllowDoNotTrack](policy-csp-browser.md) +- [AllowExtensions](policy-csp-browser.md) +- [AllowFlash](policy-csp-browser.md) +- [AllowFlashClickToRun](policy-csp-browser.md) +- [AllowFullScreenMode](policy-csp-browser.md) +- [AllowInPrivate](policy-csp-browser.md) +- [AllowMicrosoftCompatibilityList](policy-csp-browser.md) +- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md) +- [AllowPasswordManager](policy-csp-browser.md) +- [AllowPopups](policy-csp-browser.md) +- [AllowPrinting](policy-csp-browser.md) +- [AllowSavingHistory](policy-csp-browser.md) +- [AllowSearchEngineCustomization](policy-csp-browser.md) +- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md) +- [AllowSideloadingOfExtensions](policy-csp-browser.md) +- [AllowSmartScreen](policy-csp-browser.md) +- [AllowWebContentOnNewTabPage](policy-csp-browser.md) +- [AlwaysEnableBooksLibrary](policy-csp-browser.md) +- [ClearBrowsingDataOnExit](policy-csp-browser.md) +- [ConfigureAdditionalSearchEngines](policy-csp-browser.md) +- [ConfigureFavoritesBar](policy-csp-browser.md) +- [ConfigureHomeButton](policy-csp-browser.md) +- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md) +- [DisableLockdownOfStartPages](policy-csp-browser.md) +- [EnableExtendedBooksTelemetry](policy-csp-browser.md) +- [AllowTabPreloading](policy-csp-browser.md) +- [AllowPrelaunch](policy-csp-browser.md) +- [EnterpriseModeSiteList](policy-csp-browser.md) +- [PreventTurningOffRequiredExtensions](policy-csp-browser.md) +- [HomePages](policy-csp-browser.md) +- [LockdownFavorites](policy-csp-browser.md) +- [ConfigureKioskMode](policy-csp-browser.md) +- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md) +- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md) +- [PreventFirstRunPage](policy-csp-browser.md) +- [PreventCertErrorOverrides](policy-csp-browser.md) +- [PreventSmartScreenPromptOverride](policy-csp-browser.md) +- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md) +- [PreventLiveTileDataCollection](policy-csp-browser.md) +- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md) +- [ProvisionFavorites](policy-csp-browser.md) +- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md) +- [SetDefaultSearchEngine](policy-csp-browser.md) +- [SetHomeButtonURL](policy-csp-browser.md) +- [SetNewTabPageURL](policy-csp-browser.md) +- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md) +- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md) +- [UnlockHomeButton](policy-csp-browser.md) +- [UseSharedFolderForBooks](policy-csp-browser.md) +- [AllowAddressBarDropdown](policy-csp-browser.md) +- [AllowAutofill](policy-csp-browser.md) +- [AllowCookies](policy-csp-browser.md) +- [AllowDeveloperTools](policy-csp-browser.md) +- [AllowDoNotTrack](policy-csp-browser.md) +- [AllowExtensions](policy-csp-browser.md) +- [AllowFlash](policy-csp-browser.md) +- [AllowFlashClickToRun](policy-csp-browser.md) +- [AllowFullScreenMode](policy-csp-browser.md) +- [AllowInPrivate](policy-csp-browser.md) +- [AllowMicrosoftCompatibilityList](policy-csp-browser.md) +- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md) +- [AllowPasswordManager](policy-csp-browser.md) +- [AllowPopups](policy-csp-browser.md) +- [AllowPrinting](policy-csp-browser.md) +- [AllowSavingHistory](policy-csp-browser.md) +- [AllowSearchEngineCustomization](policy-csp-browser.md) +- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md) +- [AllowSideloadingOfExtensions](policy-csp-browser.md) +- [AllowSmartScreen](policy-csp-browser.md) +- [AllowWebContentOnNewTabPage](policy-csp-browser.md) +- [AlwaysEnableBooksLibrary](policy-csp-browser.md) +- [ClearBrowsingDataOnExit](policy-csp-browser.md) +- [ConfigureAdditionalSearchEngines](policy-csp-browser.md) +- [ConfigureFavoritesBar](policy-csp-browser.md) +- [ConfigureHomeButton](policy-csp-browser.md) +- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md) +- [DisableLockdownOfStartPages](policy-csp-browser.md) +- [EnableExtendedBooksTelemetry](policy-csp-browser.md) +- [AllowTabPreloading](policy-csp-browser.md) +- [AllowPrelaunch](policy-csp-browser.md) +- [EnterpriseModeSiteList](policy-csp-browser.md) +- [PreventTurningOffRequiredExtensions](policy-csp-browser.md) +- [HomePages](policy-csp-browser.md) +- [LockdownFavorites](policy-csp-browser.md) +- [ConfigureKioskMode](policy-csp-browser.md) +- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md) +- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md) +- [PreventFirstRunPage](policy-csp-browser.md) +- [PreventCertErrorOverrides](policy-csp-browser.md) +- [PreventSmartScreenPromptOverride](policy-csp-browser.md) +- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md) +- [PreventLiveTileDataCollection](policy-csp-browser.md) +- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md) +- [ProvisionFavorites](policy-csp-browser.md) +- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md) +- [SetDefaultSearchEngine](policy-csp-browser.md) +- [SetHomeButtonURL](policy-csp-browser.md) +- [SetNewTabPageURL](policy-csp-browser.md) +- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md) +- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md) +- [UnlockHomeButton](policy-csp-browser.md) +- [UseSharedFolderForBooks](policy-csp-browser.md) + +## Camera + +- [AllowCamera](policy-csp-camera.md) + +## Cellular + +- [LetAppsAccessCellularData](policy-csp-cellular.md) +- [LetAppsAccessCellularData_ForceAllowTheseApps](policy-csp-cellular.md) +- [LetAppsAccessCellularData_ForceDenyTheseApps](policy-csp-cellular.md) +- [LetAppsAccessCellularData_UserInControlOfTheseApps](policy-csp-cellular.md) + +## Connectivity + +- [AllowCellularDataRoaming](policy-csp-connectivity.md) +- [AllowPhonePCLinking](policy-csp-connectivity.md) +- [DisallowNetworkConnectivityActiveTests](policy-csp-connectivity.md) + +## Cryptography + +- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md) + +## Defender + +- [AllowArchiveScanning](policy-csp-defender.md) +- [AllowBehaviorMonitoring](policy-csp-defender.md) +- [AllowCloudProtection](policy-csp-defender.md) +- [AllowEmailScanning](policy-csp-defender.md) +- [AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md) +- [AllowFullScanRemovableDriveScanning](policy-csp-defender.md) +- [AllowIOAVProtection](policy-csp-defender.md) +- [AllowOnAccessProtection](policy-csp-defender.md) +- [AllowRealtimeMonitoring](policy-csp-defender.md) +- [AllowScanningNetworkFiles](policy-csp-defender.md) +- [AllowUserUIAccess](policy-csp-defender.md) +- [AttackSurfaceReductionOnlyExclusions](policy-csp-defender.md) +- [AttackSurfaceReductionRules](policy-csp-defender.md) +- [AvgCPULoadFactor](policy-csp-defender.md) +- [CloudBlockLevel](policy-csp-defender.md) +- [CloudExtendedTimeout](policy-csp-defender.md) +- [ControlledFolderAccessAllowedApplications](policy-csp-defender.md) +- [CheckForSignaturesBeforeRunningScan](policy-csp-defender.md) +- [SecurityIntelligenceLocation](policy-csp-defender.md) +- [ControlledFolderAccessProtectedFolders](policy-csp-defender.md) +- [DaysToRetainCleanedMalware](policy-csp-defender.md) +- [DisableCatchupFullScan](policy-csp-defender.md) +- [DisableCatchupQuickScan](policy-csp-defender.md) +- [EnableControlledFolderAccess](policy-csp-defender.md) +- [EnableLowCPUPriority](policy-csp-defender.md) +- [EnableNetworkProtection](policy-csp-defender.md) +- [ExcludedPaths](policy-csp-defender.md) +- [ExcludedExtensions](policy-csp-defender.md) +- [ExcludedProcesses](policy-csp-defender.md) +- [PUAProtection](policy-csp-defender.md) +- [RealTimeScanDirection](policy-csp-defender.md) +- [ScanParameter](policy-csp-defender.md) +- [ScheduleQuickScanTime](policy-csp-defender.md) +- [ScheduleScanDay](policy-csp-defender.md) +- [ScheduleScanTime](policy-csp-defender.md) +- [SignatureUpdateFallbackOrder](policy-csp-defender.md) +- [SignatureUpdateFileSharesSources](policy-csp-defender.md) +- [SignatureUpdateInterval](policy-csp-defender.md) +- [SubmitSamplesConsent](policy-csp-defender.md) +- [ThreatSeverityDefaultAction](policy-csp-defender.md) + +## DeliveryOptimization + +- [DODownloadMode](policy-csp-deliveryoptimization.md) +- [DOGroupId](policy-csp-deliveryoptimization.md) +- [DOMaxCacheSize](policy-csp-deliveryoptimization.md) +- [DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md) +- [DOMaxCacheAge](policy-csp-deliveryoptimization.md) +- [DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md) +- [DOMinBackgroundQos](policy-csp-deliveryoptimization.md) +- [DOModifyCacheDrive](policy-csp-deliveryoptimization.md) +- [DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md) +- [DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md) +- [DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md) +- [DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md) +- [DOMinFileSizeToCache](policy-csp-deliveryoptimization.md) +- [DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md) +- [DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md) +- [DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md) +- [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md) +- [DOCacheHost](policy-csp-deliveryoptimization.md) +- [DOCacheHostSource](policy-csp-deliveryoptimization.md) +- [DOGroupIdSource](policy-csp-deliveryoptimization.md) +- [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md) +- [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md) +- [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md) +- [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md) +- [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md) + +## DeviceGuard + +- [EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) +- [RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) +- [LsaCfgFlags](policy-csp-deviceguard.md) +- [ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) + +## DeviceLock + +- [MinimumPasswordAge](policy-csp-devicelock.md) +- [MaximumPasswordAge](policy-csp-devicelock.md) +- [ClearTextPassword](policy-csp-devicelock.md) +- [PasswordComplexity](policy-csp-devicelock.md) +- [PasswordHistorySize](policy-csp-devicelock.md) + +## Display + +- [EnablePerProcessDpi](policy-csp-display.md) +- [TurnOnGdiDPIScalingForApps](policy-csp-display.md) +- [TurnOffGdiDPIScalingForApps](policy-csp-display.md) +- [EnablePerProcessDpi](policy-csp-display.md) +- [EnablePerProcessDpiForApps](policy-csp-display.md) +- [DisablePerProcessDpiForApps](policy-csp-display.md) + +## DmaGuard + +- [DeviceEnumerationPolicy](policy-csp-dmaguard.md) + +## Education + +- [AllowGraphingCalculator](policy-csp-education.md) +- [PreventAddingNewPrinters](policy-csp-education.md) + +## Experience + +- [AllowSpotlightCollection](policy-csp-experience.md) +- [AllowThirdPartySuggestionsInWindowsSpotlight](policy-csp-experience.md) +- [AllowWindowsSpotlight](policy-csp-experience.md) +- [AllowWindowsSpotlightOnActionCenter](policy-csp-experience.md) +- [AllowWindowsSpotlightOnSettings](policy-csp-experience.md) +- [AllowWindowsSpotlightWindowsWelcomeExperience](policy-csp-experience.md) +- [AllowTailoredExperiencesWithDiagnosticData](policy-csp-experience.md) +- [ConfigureWindowsSpotlightOnLockScreen](policy-csp-experience.md) +- [AllowCortana](policy-csp-experience.md) +- [AllowWindowsConsumerFeatures](policy-csp-experience.md) +- [AllowWindowsTips](policy-csp-experience.md) +- [DoNotShowFeedbackNotifications](policy-csp-experience.md) +- [AllowFindMyDevice](policy-csp-experience.md) +- [AllowClipboardHistory](policy-csp-experience.md) +- [DoNotSyncBrowserSettings](policy-csp-experience.md) +- [PreventUsersFromTurningOnBrowserSyncing](policy-csp-experience.md) +- [ShowLockOnUserTile](policy-csp-experience.md) +- [DisableCloudOptimizedContent](policy-csp-experience.md) +- [DisableConsumerAccountStateContent](policy-csp-experience.md) +- [ConfigureChatIcon](policy-csp-experience.md) + +## ExploitGuard + +- [ExploitProtectionSettings](policy-csp-exploitguard.md) + +## FileExplorer + +- [DisableGraphRecentItems](policy-csp-fileexplorer.md) + +## Handwriting + +- [PanelDefaultModeDocked](policy-csp-handwriting.md) + +## HumanPresence + +- [ForceInstantWake](policy-csp-humanpresence.md) +- [ForceInstantLock](policy-csp-humanpresence.md) +- [ForceLockTimeout](policy-csp-humanpresence.md) +- [ForceInstantDim](policy-csp-humanpresence.md) + +## Kerberos + +- [PKInitHashAlgorithmConfiguration](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA1](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA256](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA384](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA512](policy-csp-kerberos.md) +- [CloudKerberosTicketRetrievalEnabled](policy-csp-kerberos.md) + +## LanmanWorkstation + +- [EnableInsecureGuestLogons](policy-csp-lanmanworkstation.md) + +## Licensing + +- [AllowWindowsEntitlementReactivation](policy-csp-licensing.md) +- [DisallowKMSClientOnlineAVSValidation](policy-csp-licensing.md) + +## LocalPoliciesSecurityOptions + +- [Accounts_EnableAdministratorAccountStatus](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_BlockMicrosoftAccounts](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_EnableGuestAccountStatus](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_RenameAdministratorAccount](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_RenameGuestAccount](policy-csp-localpoliciessecurityoptions.md) +- [Devices_AllowUndockWithoutHavingToLogon](policy-csp-localpoliciessecurityoptions.md) +- [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md) +- [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md) +- [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_SmartCardRemovalBehavior](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_AllowPKU2UAuthenticationRequests](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_LANManagerAuthenticationLevel](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md) +- [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md) +- [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_RunAllAdministratorsInAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](policy-csp-localpoliciessecurityoptions.md) + +## LocalSecurityAuthority + +- [ConfigureLsaProtectedProcess](policy-csp-lsa.md) + +## LockDown + +- [AllowEdgeSwipe](policy-csp-lockdown.md) + +## Maps + +- [EnableOfflineMapsAutoUpdate](policy-csp-maps.md) + +## Messaging + +- [AllowMessageSync](policy-csp-messaging.md) + +## Multitasking + +- [BrowserAltTabBlowout](policy-csp-multitasking.md) + +## NetworkIsolation + +- [EnterpriseCloudResources](policy-csp-networkisolation.md) +- [EnterpriseInternalProxyServers](policy-csp-networkisolation.md) +- [EnterpriseIPRange](policy-csp-networkisolation.md) +- [EnterpriseIPRangesAreAuthoritative](policy-csp-networkisolation.md) +- [EnterpriseProxyServers](policy-csp-networkisolation.md) +- [EnterpriseProxyServersAreAuthoritative](policy-csp-networkisolation.md) +- [NeutralResources](policy-csp-networkisolation.md) + +## NewsAndInterests + +- [AllowNewsAndInterests](policy-csp-newsandinterests.md) + +## Notifications + +- [DisallowNotificationMirroring](policy-csp-notifications.md) +- [DisallowTileNotification](policy-csp-notifications.md) +- [DisallowCloudNotification](policy-csp-notifications.md) +- [WnsEndpoint](policy-csp-notifications.md) + +## Power + +- [EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md) +- [EnergySaverBatteryThresholdOnBattery](policy-csp-power.md) +- [SelectPowerButtonActionPluggedIn](policy-csp-power.md) +- [SelectPowerButtonActionOnBattery](policy-csp-power.md) +- [SelectSleepButtonActionPluggedIn](policy-csp-power.md) +- [SelectSleepButtonActionOnBattery](policy-csp-power.md) +- [SelectLidCloseActionPluggedIn](policy-csp-power.md) +- [SelectLidCloseActionOnBattery](policy-csp-power.md) +- [TurnOffHybridSleepPluggedIn](policy-csp-power.md) +- [TurnOffHybridSleepOnBattery](policy-csp-power.md) +- [UnattendedSleepTimeoutPluggedIn](policy-csp-power.md) +- [UnattendedSleepTimeoutOnBattery](policy-csp-power.md) + +## Privacy + +- [DisablePrivacyExperience](policy-csp-privacy.md) +- [DisableAdvertisingId](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsRunInBackground](policy-csp-privacy.md) +- [LetAppsRunInBackground_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsRunInBackground_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsRunInBackground_UserInControlOfTheseApps](policy-csp-privacy.md) +- [AllowInputPersonalization](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCalendar](policy-csp-privacy.md) +- [LetAppsAccessCalendar_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCalendar_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCalendar_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCallHistory](policy-csp-privacy.md) +- [LetAppsAccessCallHistory_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCallHistory_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCallHistory_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCamera](policy-csp-privacy.md) +- [LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessContacts](policy-csp-privacy.md) +- [LetAppsAccessContacts_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessContacts_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessContacts_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessEmail](policy-csp-privacy.md) +- [LetAppsAccessEmail_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessEmail_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessEmail_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessLocation](policy-csp-privacy.md) +- [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessLocation_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMessaging](policy-csp-privacy.md) +- [LetAppsAccessMessaging_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMessaging_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMessaging_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMicrophone](policy-csp-privacy.md) +- [LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMotion](policy-csp-privacy.md) +- [LetAppsAccessMotion_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMotion_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMotion_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessNotifications](policy-csp-privacy.md) +- [LetAppsAccessNotifications_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessNotifications_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessNotifications_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessPhone](policy-csp-privacy.md) +- [LetAppsAccessPhone_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessPhone_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessPhone_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessRadios](policy-csp-privacy.md) +- [LetAppsAccessRadios_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessRadios_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessRadios_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTasks](policy-csp-privacy.md) +- [LetAppsAccessTasks_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTasks_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTasks_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsSyncWithDevices](policy-csp-privacy.md) +- [LetAppsSyncWithDevices_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsSyncWithDevices_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsSyncWithDevices_UserInControlOfTheseApps](policy-csp-privacy.md) +- [EnableActivityFeed](policy-csp-privacy.md) +- [PublishUserActivities](policy-csp-privacy.md) +- [UploadUserActivities](policy-csp-privacy.md) +- [AllowCrossDeviceClipboard](policy-csp-privacy.md) +- [DisablePrivacyExperience](policy-csp-privacy.md) +- [LetAppsActivateWithVoice](policy-csp-privacy.md) +- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md) + +## RemoteDesktop + +- [AutoSubscription](policy-csp-remotedesktop.md) + +## Search + +- [AllowIndexingEncryptedStoresOrItems](policy-csp-search.md) +- [AllowSearchToUseLocation](policy-csp-search.md) +- [AllowUsingDiacritics](policy-csp-search.md) +- [AlwaysUseAutoLangDetection](policy-csp-search.md) +- [DisableBackoff](policy-csp-search.md) +- [DisableRemovableDriveIndexing](policy-csp-search.md) +- [DisableSearch](policy-csp-search.md) +- [PreventIndexingLowDiskSpaceMB](policy-csp-search.md) +- [PreventRemoteQueries](policy-csp-search.md) +- [AllowCloudSearch](policy-csp-search.md) +- [DoNotUseWebResults](policy-csp-search.md) +- [AllowCortanaInAAD](policy-csp-search.md) +- [AllowFindMyFiles](policy-csp-search.md) +- [AllowSearchHighlights](policy-csp-search.md) + +## Security + +- [ClearTPMIfNotReady](policy-csp-security.md) + +## Settings + +- [ConfigureTaskbarCalendar](policy-csp-settings.md) +- [PageVisibilityList](policy-csp-settings.md) +- [PageVisibilityList](policy-csp-settings.md) +- [AllowOnlineTips](policy-csp-settings.md) + +## SmartScreen + +- [EnableSmartScreenInShell](policy-csp-smartscreen.md) +- [PreventOverrideForFilesInShell](policy-csp-smartscreen.md) +- [EnableAppInstallControl](policy-csp-smartscreen.md) + +## Speech + +- [AllowSpeechModelUpdate](policy-csp-speech.md) + +## Start + +- [ForceStartSize](policy-csp-start.md) +- [DisableContextMenus](policy-csp-start.md) +- [ShowOrHideMostUsedApps](policy-csp-start.md) +- [HideFrequentlyUsedApps](policy-csp-start.md) +- [HideRecentlyAddedApps](policy-csp-start.md) +- [HidePeopleBar](policy-csp-start.md) +- [StartLayout](policy-csp-start.md) +- [ConfigureStartPins](policy-csp-start.md) +- [HideRecommendedSection](policy-csp-start.md) +- [HideTaskViewButton](policy-csp-start.md) +- [DisableControlCenter](policy-csp-start.md) +- [ForceStartSize](policy-csp-start.md) +- [DisableContextMenus](policy-csp-start.md) +- [ShowOrHideMostUsedApps](policy-csp-start.md) +- [HideFrequentlyUsedApps](policy-csp-start.md) +- [HideRecentlyAddedApps](policy-csp-start.md) +- [StartLayout](policy-csp-start.md) +- [ConfigureStartPins](policy-csp-start.md) +- [HideRecommendedSection](policy-csp-start.md) +- [SimplifyQuickSettings](policy-csp-start.md) +- [DisableEditingQuickSettings](policy-csp-start.md) +- [HideTaskViewButton](policy-csp-start.md) + +## Storage + +- [AllowDiskHealthModelUpdates](policy-csp-storage.md) +- [RemovableDiskDenyWriteAccess](policy-csp-storage.md) +- [AllowStorageSenseGlobal](policy-csp-storage.md) +- [ConfigStorageSenseGlobalCadence](policy-csp-storage.md) +- [AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md) +- [ConfigStorageSenseRecycleBinCleanupThreshold](policy-csp-storage.md) +- [ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md) +- [ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md) + +## System + +- [AllowTelemetry](policy-csp-system.md) +- [AllowBuildPreview](policy-csp-system.md) +- [AllowFontProviders](policy-csp-system.md) +- [AllowLocation](policy-csp-system.md) +- [AllowTelemetry](policy-csp-system.md) +- [TelemetryProxy](policy-csp-system.md) +- [DisableOneDriveFileSync](policy-csp-system.md) +- [AllowWUfBCloudProcessing](policy-csp-system.md) +- [AllowUpdateComplianceProcessing](policy-csp-system.md) +- [AllowDesktopAnalyticsProcessing](policy-csp-system.md) +- [DisableEnterpriseAuthProxy](policy-csp-system.md) +- [LimitEnhancedDiagnosticDataWindowsAnalytics](policy-csp-system.md) +- [AllowDeviceNameInDiagnosticData](policy-csp-system.md) +- [ConfigureTelemetryOptInSettingsUx](policy-csp-system.md) +- [ConfigureTelemetryOptInChangeNotification](policy-csp-system.md) +- [DisableDeviceDelete](policy-csp-system.md) +- [DisableDiagnosticDataViewer](policy-csp-system.md) +- [ConfigureMicrosoft365UploadEndpoint](policy-csp-system.md) +- [TurnOffFileHistory](policy-csp-system.md) +- [DisableDirectXDatabaseUpdate](policy-csp-system.md) +- [AllowCommercialDataPipeline](policy-csp-system.md) +- [LimitDiagnosticLogCollection](policy-csp-system.md) +- [LimitDumpCollection](policy-csp-system.md) +- [EnableOneSettingsAuditing](policy-csp-system.md) +- [DisableOneSettingsDownloads](policy-csp-system.md) +- [HideUnsupportedHardwareNotifications](policy-csp-system.md) + +## SystemServices + +- [ConfigureHomeGroupListenerServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureHomeGroupProviderServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxAccessoryManagementServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxLiveAuthManagerServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxLiveGameSaveServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxLiveNetworkingServiceStartupMode](policy-csp-systemservices.md) + +## TextInput + +- [AllowLanguageFeaturesUninstall](policy-csp-textinput.md) +- [AllowLinguisticDataCollection](policy-csp-textinput.md) +- [ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md) +- [ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md) +- [ConfigureJapaneseIMEVersion](policy-csp-textinput.md) +- [ConfigureKoreanIMEVersion](policy-csp-textinput.md) + +## TimeLanguageSettings + +- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md) +- [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md) +- [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md) +- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md) + +## Troubleshooting + +- [AllowRecommendations](policy-csp-troubleshooting.md) + +## Update + +- [ActiveHoursEnd](policy-csp-update.md) +- [ActiveHoursStart](policy-csp-update.md) +- [ActiveHoursMaxRange](policy-csp-update.md) +- [AutoRestartRequiredNotificationDismissal](policy-csp-update.md) +- [AutoRestartNotificationSchedule](policy-csp-update.md) +- [SetAutoRestartNotificationDisable](policy-csp-update.md) +- [ScheduleRestartWarning](policy-csp-update.md) +- [ScheduleImminentRestartWarning](policy-csp-update.md) +- [AllowAutoUpdate](policy-csp-update.md) +- [AutoRestartDeadlinePeriodInDays](policy-csp-update.md) +- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](policy-csp-update.md) +- [EngagedRestartTransitionSchedule](policy-csp-update.md) +- [EngagedRestartSnoozeSchedule](policy-csp-update.md) +- [EngagedRestartDeadline](policy-csp-update.md) +- [EngagedRestartTransitionScheduleForFeatureUpdates](policy-csp-update.md) +- [EngagedRestartSnoozeScheduleForFeatureUpdates](policy-csp-update.md) +- [EngagedRestartDeadlineForFeatureUpdates](policy-csp-update.md) +- [DetectionFrequency](policy-csp-update.md) +- [ManagePreviewBuilds](policy-csp-update.md) +- [BranchReadinessLevel](policy-csp-update.md) +- [ProductVersion](policy-csp-update.md) +- [TargetReleaseVersion](policy-csp-update.md) +- [AllowUpdateService](policy-csp-update.md) +- [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md) +- [DeferQualityUpdatesPeriodInDays](policy-csp-update.md) +- [DeferUpdatePeriod](policy-csp-update.md) +- [DeferUpgradePeriod](policy-csp-update.md) +- [ExcludeWUDriversInQualityUpdate](policy-csp-update.md) +- [PauseDeferrals](policy-csp-update.md) +- [PauseFeatureUpdates](policy-csp-update.md) +- [PauseQualityUpdates](policy-csp-update.md) +- [PauseFeatureUpdatesStartTime](policy-csp-update.md) +- [PauseQualityUpdatesStartTime](policy-csp-update.md) +- [RequireDeferUpgrade](policy-csp-update.md) +- [AllowMUUpdateService](policy-csp-update.md) +- [ScheduledInstallDay](policy-csp-update.md) +- [ScheduledInstallTime](policy-csp-update.md) +- [ScheduledInstallEveryWeek](policy-csp-update.md) +- [ScheduledInstallFirstWeek](policy-csp-update.md) +- [ScheduledInstallSecondWeek](policy-csp-update.md) +- [ScheduledInstallThirdWeek](policy-csp-update.md) +- [ScheduledInstallFourthWeek](policy-csp-update.md) +- [UpdateServiceUrl](policy-csp-update.md) +- [UpdateServiceUrlAlternate](policy-csp-update.md) +- [FillEmptyContentUrls](policy-csp-update.md) +- [SetProxyBehaviorForUpdateDetection](policy-csp-update.md) +- [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForFeatureUpdates](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForQualityUpdates](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForDriverUpdates](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md) +- [SetEDURestart](policy-csp-update.md) +- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md) +- [SetDisableUXWUAccess](policy-csp-update.md) +- [SetDisablePauseUXAccess](policy-csp-update.md) +- [UpdateNotificationLevel](policy-csp-update.md) +- [NoUpdateNotificationsDuringActiveHours](policy-csp-update.md) +- [DisableDualScan](policy-csp-update.md) +- [AutomaticMaintenanceWakeUp](policy-csp-update.md) +- [ConfigureDeadlineForQualityUpdates](policy-csp-update.md) +- [ConfigureDeadlineForFeatureUpdates](policy-csp-update.md) +- [ConfigureDeadlineGracePeriod](policy-csp-update.md) +- [ConfigureDeadlineGracePeriodForFeatureUpdates](policy-csp-update.md) +- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md) +- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md) +- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md) + +## UserRights + +- [AccessCredentialManagerAsTrustedCaller](policy-csp-userrights.md) +- [AccessFromNetwork](policy-csp-userrights.md) +- [ActAsPartOfTheOperatingSystem](policy-csp-userrights.md) +- [AllowLocalLogOn](policy-csp-userrights.md) +- [BackupFilesAndDirectories](policy-csp-userrights.md) +- [ChangeSystemTime](policy-csp-userrights.md) +- [CreatePageFile](policy-csp-userrights.md) +- [CreateToken](policy-csp-userrights.md) +- [CreateGlobalObjects](policy-csp-userrights.md) +- [CreatePermanentSharedObjects](policy-csp-userrights.md) +- [CreateSymbolicLinks](policy-csp-userrights.md) +- [DebugPrograms](policy-csp-userrights.md) +- [DenyAccessFromNetwork](policy-csp-userrights.md) +- [DenyLocalLogOn](policy-csp-userrights.md) +- [DenyRemoteDesktopServicesLogOn](policy-csp-userrights.md) +- [EnableDelegation](policy-csp-userrights.md) +- [RemoteShutdown](policy-csp-userrights.md) +- [GenerateSecurityAudits](policy-csp-userrights.md) +- [ImpersonateClient](policy-csp-userrights.md) +- [IncreaseSchedulingPriority](policy-csp-userrights.md) +- [LoadUnloadDeviceDrivers](policy-csp-userrights.md) +- [LockMemory](policy-csp-userrights.md) +- [ManageAuditingAndSecurityLog](policy-csp-userrights.md) +- [ModifyObjectLabel](policy-csp-userrights.md) +- [ModifyFirmwareEnvironment](policy-csp-userrights.md) +- [ManageVolume](policy-csp-userrights.md) +- [ProfileSingleProcess](policy-csp-userrights.md) +- [RestoreFilesAndDirectories](policy-csp-userrights.md) +- [TakeOwnership](policy-csp-userrights.md) +- [BypassTraverseChecking](policy-csp-userrights.md) +- [ReplaceProcessLevelToken](policy-csp-userrights.md) +- [ChangeTimeZone](policy-csp-userrights.md) +- [ShutDownTheSystem](policy-csp-userrights.md) +- [LogOnAsBatchJob](policy-csp-userrights.md) +- [ProfileSystemPerformance](policy-csp-userrights.md) +- [DenyLogOnAsBatchJob](policy-csp-userrights.md) +- [LogOnAsService](policy-csp-userrights.md) +- [IncreaseProcessWorkingSet](policy-csp-userrights.md) + +## VirtualizationBasedTechnology + +- [HypervisorEnforcedCodeIntegrity](policy-csp-virtualizationbasedtechnology.md) +- [RequireUEFIMemoryAttributesTable](policy-csp-virtualizationbasedtechnology.md) + +## WebThreatDefense + +- [ServiceEnabled](policy-csp-webthreatdefense.md) +- [NotifyMalicious](policy-csp-webthreatdefense.md) +- [NotifyPasswordReuse](policy-csp-webthreatdefense.md) +- [NotifyUnsafeApp](policy-csp-webthreatdefense.md) + +## Wifi + +- [AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md) +- [AllowInternetSharing](policy-csp-wifi.md) + +## WindowsDefenderSecurityCenter + +- [CompanyName](policy-csp-windowsdefendersecuritycenter.md) +- [DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) +- [DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) +- [DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) +- [DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md) +- [DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) +- [Email](policy-csp-windowsdefendersecuritycenter.md) +- [EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) +- [EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) +- [HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) +- [HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) +- [HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) +- [HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) +- [Phone](policy-csp-windowsdefendersecuritycenter.md) +- [URL](policy-csp-windowsdefendersecuritycenter.md) + +## WindowsInkWorkspace + +- [AllowWindowsInkWorkspace](policy-csp-windowsinkworkspace.md) +- [AllowSuggestedAppsInWindowsInkWorkspace](policy-csp-windowsinkworkspace.md) + +## WindowsLogon + +- [HideFastUserSwitching](policy-csp-windowslogon.md) +- [EnableFirstLogonAnimation](policy-csp-windowslogon.md) + +## WindowsSandbox + +- [AllowVGPU](policy-csp-windowssandbox.md) +- [AllowNetworking](policy-csp-windowssandbox.md) +- [AllowAudioInput](policy-csp-windowssandbox.md) +- [AllowVideoInput](policy-csp-windowssandbox.md) +- [AllowPrinterRedirection](policy-csp-windowssandbox.md) +- [AllowClipboardRedirection](policy-csp-windowssandbox.md) + +## WirelessDisplay + +- [AllowProjectionToPC](policy-csp-wirelessdisplay.md) +- [RequirePinForPairing](policy-csp-wirelessdisplay.md) + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index 94bb7192fa..bcc22cc6cb 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by Microsoft Surface Hub description: Learn about the policies in Policy CSP supported by Microsoft Surface Hub. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -21,32 +21,32 @@ ms.date: 07/22/2020 - [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) - [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) - [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites) -- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection) -- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles) -- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning) -- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess) -- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor) -- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware) -- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions) -- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths) -- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses) -- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection) -- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection) -- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday) -- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime) -- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction) +- [Defender/AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring) +- [Defender/AllowCloudProtection](policy-csp-defender.md#allowcloudprotection) +- [Defender/AllowEmailScanning](policy-csp-defender.md#allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](policy-csp-defender.md#allowioavprotection) +- [Defender/AllowOnAccessProtection](policy-csp-defender.md#allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles) +- [Defender/AllowScriptScanning](policy-csp-defender.md#allowscriptscanning) +- [Defender/AllowUserUIAccess](policy-csp-defender.md#allowuseruiaccess) +- [Defender/AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor) +- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#daystoretaincleanedmalware) +- [Defender/ExcludedExtensions](policy-csp-defender.md#excludedextensions) +- [Defender/ExcludedPaths](policy-csp-defender.md#excludedpaths) +- [Defender/ExcludedProcesses](policy-csp-defender.md#excludedprocesses) +- [Defender/PUAProtection](policy-csp-defender.md#puaprotection) +- [Defender/RealTimeScanDirection](policy-csp-defender.md#realtimescandirection) +- [Defender/ScanParameter](policy-csp-defender.md#scanparameter) +- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#schedulequickscantime) +- [Defender/ScheduleScanDay](policy-csp-defender.md#schedulescanday) +- [Defender/ScheduleScanTime](policy-csp-defender.md#schedulescantime) +- [Defender/SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval) +- [Defender/SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction) - [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) - [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) - [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index e771422d71..283417da87 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,30 +1,33 @@ --- title: Policy CSP -description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10 and Windows 11. -ms.reviewer: +description: Learn more about the Policy CSP +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/22/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 07/18/2019 -ms.collection: highpri +ms.topic: reference --- + + + # Policy CSP + + The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 11. Use this configuration service provider to configure any company policies. The Policy configuration service provider has the following sub-categories: -- Policy/Config/*AreaName* – Handles the policy configuration request from the server. -- Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device. +- Policy/Config/**AreaName** - Handles the policy configuration request from the server. +- Policy/Result/**AreaName** - Provides a read-only path to policies enforced on the device. -> [!Important] +> [!IMPORTANT] > Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user. > > The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths: @@ -43,9490 +46,1133 @@ The Policy configuration service provider has the following sub-categories: > > - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. > - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. + -The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. + +The following example shows the Policy configuration service provider in tree format. -```console -./Vendor/MSFT -Policy --------Config -----------AreaName --------------PolicyName --------Result -----------AreaName --------------PolicyName --------ConfigOperations -----------ADMXInstall --------------AppName -----------------Policy -------------------UniqueID -----------------Preference -------------------UniqueID +```text +./Device/Vendor/MSFT/Policy +--- Config +------ {AreaName} +--------- {PolicyName} +--- ConfigOperations +------ ADMXInstall +--------- {AppName} +------------ {SettingsType} +--------------- {AdmxFileId} +------------ Properties +--------------- {SettingsType} +------------------ {AdmxFileId} +--------------------- Version +--- Result +------ {AreaName} +--------- {PolicyName} +./User/Vendor/MSFT/Policy +--- Config +------ {AreaName} +--------- {PolicyName} +--- Result +------ {AreaName} +--------- {PolicyName} ``` + + +## Device/Config -**./Vendor/MSFT/Policy** -The root node for the Policy configuration service provider. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Supported operation is Get. + +```Device +./Device/Vendor/MSFT/Policy/Config +``` + -**Policy/Config** -Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value) the configuration source can use the Policy/Result path to retrieve the resulting value. + +Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. + -Supported operation is Get. + + + -**Policy/Config/_AreaName_** -The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. + +**Description framework properties**: -Supported operations are Add, Get, and Delete. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + -**Policy/Config/_AreaName/PolicyName_** -Specifies the name/value pair used in the policy. + + + + + + +### Device/Config/{AreaName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/{AreaName} +``` + + + +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### Device/Config/{AreaName}/{PolicyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName} +``` + + + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + + + + The following list shows some tips to help you when configuring policies: -- Separate substring values by the Unicode &\#xF000; in the XML file. - +- Separate substring values by Unicode `0xF000` in the XML file. > [!NOTE] > A query from a different caller could provide a different value as each caller could have different values for a named policy. - - In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. - Supported operations are Add, Get, Delete, and Replace. - Value type is string. + -**Policy/Result** -Groups the evaluated policies from all providers that can be configured. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ClientInventory | + -**Policy/Result/_AreaName_** -The area group that can be configured by a single technology independent of the providers. + + + -Supported operation is Get. + -**Policy/Result/_AreaName/PolicyName_** -Specifies the name/value pair used in the policy. + +## Device/ConfigOperations -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -**Policy/ConfigOperations** -Added in Windows 10, version 1703. The root node for grouping different configuration operations. + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations +``` + -Supported operations are Add, Get, and Delete. + +The root node for grouping different configuration operations. + -**Policy/ConfigOperations/ADMXInstall** -Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](../win32-and-centennial-app-policy-configuration.md). + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +### Device/ConfigOperations/ADMXInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall +``` + + + +Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. + + + + + For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](../win32-and-centennial-app-policy-configuration.md). > [!NOTE] > The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)). - -ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. - -Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_** -Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. - -Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** -Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. - -Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** -Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. - -Supported operations are Add and Get. Does not support Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** -Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. - -Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** -Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. - -Supported operations are Add and Get. Does not support Delete. - -## Policies - -### AboveLock policies - -
-
- AboveLock/AllowCortanaAboveLock -
-
- AboveLock/AllowToasts -
-
- -### Accounts policies - -
-
- Accounts/AllowAddingNonMicrosoftAccountsManually -
-
- Accounts/AllowMicrosoftAccountConnection -
-
- Accounts/AllowMicrosoftAccountSignInAssistant -
- -
- -### ActiveXControls policies - -
-
- ActiveXControls/ApprovedInstallationSites -
-
- -### ADMX_ActiveXInstallService policies - -
-
- ADMX_ActiveXInstallService/AxISURLZonePolicies -
-
- -### ADMX_AddRemovePrograms policies -
-
- ADMX_AddRemovePrograms/DefaultCategory -
-
- ADMX_AddRemovePrograms/NoAddFromCDorFloppy -
-
- ADMX_AddRemovePrograms/NoAddFromInternet -
-
- ADMX_AddRemovePrograms/NoAddFromNetwork -
-
- ADMX_AddRemovePrograms/NoAddPage -
-
- ADMX_AddRemovePrograms/NoAddRemovePrograms -
-
- ADMX_AddRemovePrograms/NoChooseProgramsPage -
-
- ADMX_AddRemovePrograms/NoRemovePage -
-
- ADMX_AddRemovePrograms/NoServices -
-
- ADMX_AddRemovePrograms/NoSupportInfo -
-
- ADMX_AddRemovePrograms/NoWindowsSetupPage -
-
- -### ADMX_AdmPwd policies - -
-
- ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy -
-
- ADMX_AdmPwd/POL_AdmPwd_Enabled -
-
- ADMX_AdmPwd/POL_AdmPwd_AdminName -
-
- ADMX_AdmPwd/POL_AdmPwd -
-
- -### ADMX_AppCompat policies - -
-
- ADMX_AppCompat/AppCompatPrevent16BitMach -
-
- ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage -
-
- ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry -
-
- ADMX_AppCompat/AppCompatTurnOffSwitchBack -
-
- ADMX_AppCompat/AppCompatTurnOffEngine -
-
- ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 -
-
- ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2 -
-
- ADMX_AppCompat/AppCompatTurnOffUserActionRecord -
-
- ADMX_AppCompat/AppCompatTurnOffProgramInventory -
-
- -### ADMX_AppxPackageManager policies - -
-
- ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles -
-
- -### ADMX_AppXRuntime policies - -
-
- ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules -
-
- ADMX_AppXRuntime/AppxRuntimeBlockFileElevation -
-
- ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT -
-
- ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation -
-
- -### ADMX_AttachmentManager policies - -
-
- ADMX_AttachmentManager/AM_EstimateFileHandlerRisk -
-
- ADMX_AttachmentManager/AM_SetFileRiskLevel -
-
- ADMX_AttachmentManager/AM_SetHighRiskInclusion -
-
- ADMX_AttachmentManager/AM_SetLowRiskInclusion -
-
- ADMX_AttachmentManager/AM_SetModRiskInclusion -
-
- -### ADMX_AuditSettings policies - -
-
- ADMX_AuditSettings/IncludeCmdLine -
-
- - -### ADMX_Bits policies - -
-
- ADMX_Bits/BITS_DisableBranchCache -
-
- ADMX_Bits/BITS_DisablePeercachingClient -
-
- ADMX_Bits/BITS_DisablePeercachingServer -
-
- ADMX_Bits/BITS_EnablePeercaching -
-
- ADMX_Bits/BITS_MaxBandwidthServedForPeers -
-
- ADMX_Bits/BITS_MaxBandwidthV2_Maintenance -
-
- ADMX_Bits/BITS_MaxBandwidthV2_Work -
-
- ADMX_Bits/BITS_MaxCacheSize -
-
- ADMX_Bits/BITS_MaxContentAge -
-
- ADMX_Bits/BITS_MaxDownloadTime -
-
- ADMX_Bits/BITS_MaxFilesPerJob -
-
- ADMX_Bits/BITS_MaxJobsPerMachine -
-
- ADMX_Bits/BITS_MaxJobsPerUser -
-
- ADMX_Bits/BITS_MaxRangesPerFile -
-
- -### ADMX_CipherSuiteOrder policies - -
-
- ADMX_CipherSuiteOrder/SSLCipherSuiteOrder -
-
- ADMX_CipherSuiteOrder/SSLCurveOrder -
-
- -### ADMX_COM policies - -
-
- ADMX_COM/AppMgmt_COM_SearchForCLSID_1 -
-
- ADMX_COM/AppMgmt_COM_SearchForCLSID_2 -
-
- -### ADMX_ControlPanel policies - -
-
- ADMX_ControlPanel/DisallowCpls -
-
- ADMX_ControlPanel/ForceClassicControlPanel -
-
- ADMX_ControlPanel/NoControlPanel -
-
- ADMX_ControlPanel/RestrictCpls -
-
- -### ADMX_ControlPanelDisplay policies - -
-
- ADMX_ControlPanelDisplay/CPL_Display_Disable -
-
- ADMX_ControlPanelDisplay/CPL_Display_HideSettings -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle -
-
- ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground -
-
- -### ADMX_Cpls policies - -
-
- ADMX_CtrlAltDel/DisableChangePassword -
-
- ADMX_CtrlAltDel/DisableLockComputer -
-
- ADMX_CtrlAltDel/DisableTaskMgr -
-
- ADMX_CtrlAltDel/NoLogoff -
-
- -### ADMX_CredentialProviders policies - -
-
- ADMX_CredentialProviders/AllowDomainDelayLock -
-
- ADMX_CredentialProviders/DefaultCredentialProvider -
-
- ADMX_CredentialProviders/ExcludedCredentialProviders -
-
- -### ADMX_CredSsp policies - -
-
- ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly -
-
- ADMX_CredSsp/AllowDefaultCredentials -
-
- ADMX_CredSsp/AllowEncryptionOracle -
-
- ADMX_CredSsp/AllowFreshCredentials -
-
- ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly -
-
- ADMX_CredSsp/AllowSavedCredentials -
-
- ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly -
-
- ADMX_CredSsp/DenyDefaultCredentials -
-
- ADMX_CredSsp/DenyFreshCredentials -
-
- ADMX_CredSsp/DenySavedCredentials -
-
- ADMX_CredSsp/RestrictedRemoteAdministration - -### ADMX_CredUI policies - -
-
- ADMX_CredUI/EnableSecureCredentialPrompting -
-
- ADMX_CredUI/NoLocalPasswordResetQuestions -
-
- -### ADMX_CtrlAltDel policies -
-
- ADMX_Cpls/UseDefaultTile -
-
- -### ADMX_DataCollection policies - -
-
- ADMX_DataCollection/CommercialIdPolicy -
-
- -### ADMX_DCOM policies - -
-
- ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList -
-
- ADMX_DCOM/DCOMActivationSecurityCheckExemptionList -
-
- -### ADMX_Desktop policies - -
-
- ADMX_Desktop/AD_EnableFilter -
-
- ADMX_Desktop/AD_HideDirectoryFolder -
-
- ADMX_Desktop/AD_QueryLimit -
-
- ADMX_Desktop/ForceActiveDesktopOn -
-
- ADMX_Desktop/NoActiveDesktop -
-
- ADMX_Desktop/NoActiveDesktopChanges -
-
- ADMX_Desktop/NoDesktop -
-
- ADMX_Desktop/NoDesktopCleanupWizard -
-
- ADMX_Desktop/NoInternetIcon -
-
- ADMX_Desktop/NoMyComputerIcon -
-
- ADMX_Desktop/NoMyDocumentsIcon -
-
- ADMX_Desktop/NoNetHood -
-
- ADMX_Desktop/NoPropertiesMyComputer -
-
- ADMX_Desktop/NoPropertiesMyDocuments -
-
- ADMX_Desktop/NoRecentDocsNetHood -
-
- ADMX_Desktop/NoRecycleBinIcon -
-
- ADMX_Desktop/NoRecycleBinProperties -
-
- ADMX_Desktop/NoSaveSettings -
-
- ADMX_Desktop/NoWindowMinimizingShortcuts -
-
- ADMX_Desktop/Wallpaper -
-
- ADMX_Desktop/sz_ATC_DisableAdd -
-
- ADMX_Desktop/sz_ATC_DisableClose -
-
- ADMX_Desktop/sz_ATC_DisableDel -
-
- ADMX_Desktop/sz_ATC_DisableEdit -
-
- ADMX_Desktop/sz_ATC_NoComponents -
-
- ADMX_Desktop/sz_AdminComponents_Title -
-
- ADMX_Desktop/sz_DB_DragDropClose -
-
- ADMX_Desktop/sz_DB_Moving -
-
- ADMX_Desktop/sz_DWP_NoHTMLPaper -
-
- -### ADMX_DeviceCompat policies - -
-
- ADMX_DeviceCompat/DeviceFlags -
-
- ADMX_DeviceCompat/DriverShims -
-
- -### ADMX_DeviceGuard policies - -
- ADMX_DeviceGuard/ConfigCIPolicy -
-
- -### ADMX_DeviceInstallation policies - -
-
- ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall -
-
- ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText -
-
- ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText -
-
- ADMX_DeviceInstallation/DeviceInstall_InstallTimeout -
-
- ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime -
-
- ADMX_DeviceInstallation/DeviceInstall_Removable_Deny -
-
- ADMX_DeviceInstallation/DeviceInstall_SystemRestore -
-
- ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser -
-
- -### ADMX_DeviceSetup policies - -
-
- ADMX_DeviceSetup/DeviceInstall_BalloonTips -
-
- ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration -
-
- -### ADMX_DFS policies - -
-
- ADMX_DFS/DFSDiscoverDC -
-
- -### ADMX_DigitalLocker policies - -
-
- ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1 -
-
- ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2 -
-
- -### ADMX_DiskDiagnostic policies - -
-
- ADMX_DiskDiagnostic/DfdAlertPolicy -
-
- ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy -
-
- -### ADMX_DiskNVCache policies - -
-
- ADMX_DiskNVCache/BootResumePolicy -
-
- ADMX_DiskNVCache/FeatureOffPolicy -
-
- ADMX_DiskNVCache/SolidStatePolicy -
-
- -### ADMX_DiskQuota policies - -
-
- ADMX_DiskQuota/DQ_RemovableMedia -
-
- ADMX_DiskQuota/DQ_Enable -
-
- ADMX_DiskQuota/DQ_Enforce -
-
- ADMX_DiskQuota/DQ_LogEventOverLimit -
-
- ADMX_DiskQuota/DQ_LogEventOverThreshold -
-
- ADMX_DiskQuota/DQ_Limit -
-
- -### ADMX_DistributedLinkTracking policies - -
-
- ADMX_DistributedLinkTracking/DLT_AllowDomainMode -
-
- - -### ADMX_DnsClient policies - -
-
- ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries -
-
- ADMX_DnsClient/DNS_AppendToMultiLabelName -
-
- ADMX_DnsClient/DNS_Domain -
-
- ADMX_DnsClient/DNS_DomainNameDevolutionLevel -
-
- ADMX_DnsClient/DNS_IdnEncoding -
-
- ADMX_DnsClient/DNS_IdnMapping -
-
- ADMX_DnsClient/DNS_NameServer -
-
- ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns -
-
- ADMX_DnsClient/DNS_PrimaryDnsSuffix -
-
- ADMX_DnsClient/DNS_RegisterAdapterName -
-
- ADMX_DnsClient/DNS_RegisterReverseLookup -
-
- ADMX_DnsClient/DNS_RegistrationEnabled -
-
- ADMX_DnsClient/DNS_RegistrationOverwritesInConflict -
-
- ADMX_DnsClient/DNS_RegistrationRefreshInterval -
-
- ADMX_DnsClient/DNS_RegistrationTtl -
-
- ADMX_DnsClient/DNS_SearchList -
-
- ADMX_DnsClient/DNS_SmartMultiHomedNameResolution -
-
- ADMX_DnsClient/DNS_SmartProtocolReorder -
-
- ADMX_DnsClient/DNS_UpdateSecurityLevel -
-
- ADMX_DnsClient/DNS_UpdateTopLevelDomainZones -
-
- ADMX_DnsClient/DNS_UseDomainNameDevolution -
-
- ADMX_DnsClient/Turn_Off_Multicast -
-
- -### ADMX_DWM policies -
-
- ADMX_DWM/DwmDefaultColorizationColor_1 -
-
- ADMX_DWM/DwmDefaultColorizationColor_2 -
-
- ADMX_DWM/DwmDisallowAnimations_1 -
-
- ADMX_DWM/DwmDisallowAnimations_2 -
-
- ADMX_DWM/DwmDisallowColorizationColorChanges_1 -
-
- ADMX_DWM/DwmDisallowColorizationColorChanges_2 -
-
- -### ADMX_EAIME policies - -
-
- ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList -
-
- ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion -
-
- ADMX_EAIME/L_TurnOffCustomDictionary -
-
- ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput -
-
- ADMX_EAIME/L_TurnOffInternetSearchIntegration -
-
- ADMX_EAIME/L_TurnOffOpenExtendedDictionary -
-
- ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile -
-
- ADMX_EAIME/L_TurnOnCloudCandidate -
-
- ADMX_EAIME/L_TurnOnCloudCandidateCHS -
-
- ADMX_EAIME/L_TurnOnLexiconUpdate -
-
- ADMX_EAIME/L_TurnOnLiveStickers -
-
- ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport -
-
- -### ADMX_EncryptFilesonMove policies -
-
- ADMX_EncryptFilesonMove/NoEncryptOnMove -
-
- -### ADMX_EventLogging policies -
-
- ADMX_EventLogging/EnableProtectedEventLogging -
-
- -### ADMX_EnhancedStorage policies - -
-
- ADMX_EnhancedStorage/ApprovedEnStorDevices -
-
- ADMX_EnhancedStorage/ApprovedSilos -
-
- ADMX_EnhancedStorage/DisablePasswordAuthentication -
-
- ADMX_EnhancedStorage/DisallowLegacyDiskDevices -
-
- ADMX_EnhancedStorage/LockDeviceOnMachineLock -
-
- ADMX_EnhancedStorage/RootHubConnectedEnStorDevices -
-
- -### ADMX_ErrorReporting policies - -
-
- ADMX_ErrorReporting/PCH_AllOrNoneDef -
-
- ADMX_ErrorReporting/PCH_AllOrNoneEx -
-
- ADMX_ErrorReporting/PCH_AllOrNoneInc -
-
- ADMX_ErrorReporting/PCH_ConfigureReport -
-
- ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults -
-
- ADMX_ErrorReporting/WerArchive_1 -
-
- ADMX_ErrorReporting/WerArchive_2 -
-
- ADMX_ErrorReporting/WerAutoApproveOSDumps_1 -
-
- ADMX_ErrorReporting/WerAutoApproveOSDumps_2 -
-
- ADMX_ErrorReporting/WerBypassDataThrottling_1 -
-
- ADMX_ErrorReporting/WerBypassDataThrottling_2 -
-
- ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 -
-
- ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 -
-
- ADMX_ErrorReporting/WerBypassPowerThrottling_1 -
-
- ADMX_ErrorReporting/WerBypassPowerThrottling_2 -
-
- ADMX_ErrorReporting/WerCER -
-
- ADMX_ErrorReporting/WerConsentCustomize_1 -
-
- ADMX_ErrorReporting/WerConsentOverride_1 -
-
- ADMX_ErrorReporting/WerConsentOverride_2 -
-
- ADMX_ErrorReporting/WerDefaultConsent_1 -
-
- ADMX_ErrorReporting/WerDefaultConsent_2 -
-
- ADMX_ErrorReporting/WerDisable_1 -
-
- ADMX_ErrorReporting/WerExlusion_1 -
-
- ADMX_ErrorReporting/WerExlusion_2 -
-
- ADMX_ErrorReporting/WerNoLogging_1 -
-
- ADMX_ErrorReporting/WerNoLogging_2 -
-
- ADMX_ErrorReporting/WerNoSecondLevelData_1 -
-
- ADMX_ErrorReporting/WerQueue_1 -
-
- ADMX_ErrorReporting/WerQueue_2 -
-
- -### ADMX_EventForwarding policies - -
-
- ADMX_EventForwarding/ForwarderResourceUsage -
-
- ADMX_EventForwarding/SubscriptionManager -
-
- -### ADMX_EventLog policies - -
-
- ADMX_EventLog/Channel_LogEnabled -
-
- ADMX_EventLog/Channel_LogFilePath_1 -
-
- ADMX_EventLog/Channel_LogFilePath_2 -
-
- ADMX_EventLog/Channel_LogFilePath_3 -
-
- ADMX_EventLog/Channel_LogFilePath_4 -
-
- ADMX_EventLog/Channel_LogMaxSize_3 -
-
- ADMX_EventLog/Channel_Log_AutoBackup_1 -
-
- ADMX_EventLog/Channel_Log_AutoBackup_2 -
-
- ADMX_EventLog/Channel_Log_AutoBackup_3 -
-
- ADMX_EventLog/Channel_Log_AutoBackup_4 -
-
- ADMX_EventLog/Channel_Log_FileLogAccess_1 -
-
- ADMX_EventLog/Channel_Log_FileLogAccess_2 -
-
- ADMX_EventLog/Channel_Log_FileLogAccess_3 -
-
- ADMX_EventLog/Channel_Log_FileLogAccess_4 -
-
- ADMX_EventLog/Channel_Log_FileLogAccess_5 -
-
- ADMX_EventLog/Channel_Log_FileLogAccess_6 -
-
- ADMX_EventLog/Channel_Log_FileLogAccess_7 -
-
- ADMX_EventLog/Channel_Log_FileLogAccess_8 -
-
- ADMX_EventLog/Channel_Log_Retention_2 -
-
- ADMX_EventLog/Channel_Log_Retention_3 -
-
- ADMX_EventLog/Channel_Log_Retention_4 -
-
- -### ADMX_EventViewer policies - -
-
- ADMX_EventViewer/EventViewer_RedirectionProgram -
-
- ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters -
-
- ADMX_EventViewer/EventViewer_RedirectionURL -
- -### ADMX_Explorer policies - -
-
- ADMX_Explorer/AdminInfoUrl -
-
- ADMX_Explorer/AlwaysShowClassicMenu -
-
- ADMX_Explorer/DisableRoamedProfileInit -
-
- ADMX_Explorer/PreventItemCreationInUsersFilesFolder -
-
- ADMX_Explorer/TurnOffSPIAnimations -
-
- -### ADMX_ExternalBoot policies - -
-
- ADMX_ExternalBoot/PortableOperatingSystem_Hibernate -
- ADMX_ExternalBoot/PortableOperatingSystem_Sleep -
- - ADMX_ExternalBoot/PortableOperatingSystem_Launcher - -
- -### ADMX_FileRecovery policies -
-
- ADMX_FileRecovery/WdiScenarioExecutionPolicy -
-
- -### ADMX_FileRevocation policies -
-
- ADMX_FileRevocation/DelegatedPackageFamilyNames -
-
- -### ADMX_FileServerVSSProvider policies -
-
- ADMX_FileServerVSSProvider/Pol_EncryptProtocol -
-
- -### ADMX_FileSys policies -
-
- ADMX_FileSys/DisableCompression -
-
- ADMX_FileSys/DisableDeleteNotification -
-
- ADMX_FileSys/DisableEncryption -
-
- ADMX_FileSys/EnablePagefileEncryption -
-
- ADMX_FileSys/LongPathsEnabled -
-
- ADMX_FileSys/ShortNameCreationSettings -
-
- ADMX_FileSys/SymlinkEvaluation -
-
- ADMX_FileSys/TxfDeprecatedFunctionality -
-
- -### ADMX_FolderRedirection policies -
-
- ADMX_FolderRedirection/DisableFRAdminPin -
-
- ADMX_FolderRedirection/DisableFRAdminPinByFolder -
-
- ADMX_FolderRedirection/FolderRedirectionEnableCacheRename -
-
- ADMX_FolderRedirection/LocalizeXPRelativePaths_1 -
-
- ADMX_FolderRedirection/LocalizeXPRelativePaths_2 -
-
- ADMX_FolderRedirection/PrimaryComputer_FR_1 -
-
- ADMX_FolderRedirection/PrimaryComputer_FR_2 -
-
- -### ADMX_FramePanes policies -
-
- ADMX_FramePanes/NoReadingPane -
-
- ADMX_FramePanes/NoPreviewPane -
-
- -### ADMX_FTHSVC policies -
-
- ADMX_FTHSVC/WdiScenarioExecutionPolicy -
-
- -### ADMX_Help policies -
-
- ADMX_Help/DisableHHDEP -
-
- ADMX_Help/HelpQualifiedRootDir_Comp -
-
- ADMX_Help/RestrictRunFromHelp -
-
- ADMX_Help/RestrictRunFromHelp_Comp -
-
- -### ADMX_HotSpotAuth policies -
-
- ADMX_HotSpotAuth/HotspotAuth_Enable -
-
- -### ADMX_Globalization policies - -
-
- ADMX_Globalization/BlockUserInputMethodsForSignIn -
-
- ADMX_Globalization/CustomLocalesNoSelect_1 -
-
- ADMX_Globalization/CustomLocalesNoSelect_2 -
-
- ADMX_Globalization/HideAdminOptions -
-
- ADMX_Globalization/HideCurrentLocation -
-
- ADMX_Globalization/HideLanguageSelection -
-
- ADMX_Globalization/HideLocaleSelectAndCustomize -
-
- ADMX_Globalization/ImplicitDataCollectionOff_1 -
-
- ADMX_Globalization/ImplicitDataCollectionOff_2 -
-
- ADMX_Globalization/LocaleSystemRestrict -
-
- ADMX_Globalization/LocaleUserRestrict_1 -
-
- ADMX_Globalization/LocaleUserRestrict_2 -
-
- ADMX_Globalization/LockMachineUILanguage -
-
- ADMX_Globalization/LockUserUILanguage -
-
- ADMX_Globalization/PreventGeoIdChange_1 -
-
- ADMX_Globalization/PreventGeoIdChange_2 -
-
- ADMX_Globalization/PreventUserOverrides_1 -
-
- ADMX_Globalization/PreventUserOverrides_2 -
-
- ADMX_Globalization/RestrictUILangSelect -
-
- ADMX_Globalization/TurnOffAutocorrectMisspelledWords -
-
- ADMX_Globalization/TurnOffHighlightMisspelledWords -
-
- ADMX_Globalization/TurnOffInsertSpace -
-
- ADMX_Globalization/TurnOffOfferTextPredictions -
-
- ADMX_Globalization/Y2K -
-
- -### ADMX_GroupPolicy policies - -
-
- ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP -
-
- ADMX_GroupPolicy/CSE_AppMgmt -
-
- ADMX_GroupPolicy/CSE_DiskQuota -
-
- ADMX_GroupPolicy/CSE_EFSRecovery -
-
- ADMX_GroupPolicy/CSE_FolderRedirection -
-
- ADMX_GroupPolicy/CSE_IEM -
-
- ADMX_GroupPolicy/CSE_IPSecurity -
-
- ADMX_GroupPolicy/CSE_Registry -
-
- ADMX_GroupPolicy/CSE_Scripts -
-
- ADMX_GroupPolicy/CSE_Security -
-
- ADMX_GroupPolicy/CSE_Wired -
-
- ADMX_GroupPolicy/CSE_Wireless -
-
- ADMX_GroupPolicy/CorpConnSyncWaitTime -
-
- ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 -
-
- ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 -
-
- ADMX_GroupPolicy/DisableAOACProcessing -
-
- ADMX_GroupPolicy/DisableAutoADMUpdate -
-
- ADMX_GroupPolicy/DisableBackgroundPolicy -
-
- ADMX_GroupPolicy/DisableLGPOProcessing -
-
- ADMX_GroupPolicy/DisableUsersFromMachGP -
-
- ADMX_GroupPolicy/EnableCDP -
-
- ADMX_GroupPolicy/EnableLogonOptimization -
-
- ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU -
-
- ADMX_GroupPolicy/EnableMMX -
-
- ADMX_GroupPolicy/EnforcePoliciesOnly -
-
- ADMX_GroupPolicy/FontMitigation -
-
- ADMX_GroupPolicy/GPDCOptions -
-
- ADMX_GroupPolicy/GPTransferRate_1 -
-
- ADMX_GroupPolicy/GPTransferRate_2 -
-
- ADMX_GroupPolicy/GroupPolicyRefreshRate -
-
- ADMX_GroupPolicy/GroupPolicyRefreshRateDC -
-
- ADMX_GroupPolicy/GroupPolicyRefreshRateUser -
-
- ADMX_GroupPolicy/LogonScriptDelay -
-
- ADMX_GroupPolicy/NewGPODisplayName -
-
- ADMX_GroupPolicy/NewGPOLinksDisabled -
-
- ADMX_GroupPolicy/OnlyUseLocalAdminFiles -
-
- ADMX_GroupPolicy/ProcessMitigationOptions -
-
- ADMX_GroupPolicy/RSoPLogging -
-
- ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy -
-
- ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess -
-
- ADMX_GroupPolicy/SlowlinkDefaultToAsync -
-
- ADMX_GroupPolicy/SyncWaitTime -
-
- ADMX_GroupPolicy/UserPolicyMode -
-
- -### ADMX_HelpAndSupport policies -
-
- ADMX_HelpAndSupport/ActiveHelp -
-
- ADMX_HelpAndSupport/HPExplicitFeedback -
-
- ADMX_HelpAndSupport/HPImplicitFeedback -
-
- ADMX_HelpAndSupport/HPOnlineAssistance -
-
- - -## ADMX_ICM policies - -
-
- ADMX_ICM/CEIPEnable -
-
- ADMX_ICM/CertMgr_DisableAutoRootUpdates -
-
- ADMX_ICM/DisableHTTPPrinting_1 -
-
- ADMX_ICM/DisableWebPnPDownload_1 -
-
- ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate -
-
- ADMX_ICM/EventViewer_DisableLinks -
-
- ADMX_ICM/HSS_HeadlinesPolicy -
-
- ADMX_ICM/HSS_KBSearchPolicy -
-
- ADMX_ICM/InternetManagement_RestrictCommunication_1 -
-
- ADMX_ICM/InternetManagement_RestrictCommunication_2 -
-
- ADMX_ICM/NC_ExitOnISP -
-
- ADMX_ICM/NC_NoRegistration -
-
- ADMX_ICM/PCH_DoNotReport -
-
- ADMX_ICM/RemoveWindowsUpdate_ICM -
-
- ADMX_ICM/SearchCompanion_DisableFileUpdates -
-
- ADMX_ICM/ShellNoUseInternetOpenWith_1 -
-
- ADMX_ICM/ShellNoUseInternetOpenWith_2 -
-
- ADMX_ICM/ShellNoUseStoreOpenWith_1 -
-
- ADMX_ICM/ShellNoUseStoreOpenWith_2 -
-
- ADMX_ICM/ShellPreventWPWDownload_1 -
-
- ADMX_ICM/ShellRemoveOrderPrints_1 -
-
- ADMX_ICM/ShellRemoveOrderPrints_2 -
-
- ADMX_ICM/ShellRemovePublishToWeb_1 -
-
- ADMX_ICM/ShellRemovePublishToWeb_2 -
-
- ADMX_ICM/WinMSG_NoInstrumentation_1 -
-
- ADMX_ICM/WinMSG_NoInstrumentation_2 -
-
- -### ADMX_IIS policies -
-
- ADMX_IIS/PreventIISInstall -
-
- -### ADMX_iSCSI policies - -
-
- ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins -
-
- ADMX_iSCSI/iSCSIGeneral_ChangeIQNName -
-
- ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret -
-
- -### ADMX_kdc policies -
-
- ADMX_kdc/CbacAndArmor -
-
- ADMX_kdc/ForestSearch -
-
- ADMX_kdc/PKINITFreshness -
-
- ADMX_kdc/RequestCompoundId -
-
- ADMX_kdc/TicketSizeThreshold -
-
- ADMX_kdc/emitlili -
-
- -### ADMX_Kerberos policies - -
-
- ADMX_Kerberos/AlwaysSendCompoundId -
-
- ADMX_Kerberos/DevicePKInitEnabled -
-
- ADMX_Kerberos/HostToRealm -
-
- ADMX_Kerberos/KdcProxyDisableServerRevocationCheck -
-
- ADMX_Kerberos/KdcProxyServer -
-
- ADMX_Kerberos/MitRealms -
-
- ADMX_Kerberos/ServerAcceptsCompound -
-
- ADMX_Kerberos/StrictTarget -
-
- -### ADMX_LanmanServer policies -
-
- ADMX_LanmanServer/Pol_CipherSuiteOrder -
-
- ADMX_LanmanServer/Pol_HashPublication -
-
- ADMX_LanmanServer/Pol_HashSupportVersion -
-
- ADMX_LanmanServer/Pol_HonorCipherSuiteOrder -
-
- -### ADMX_LanmanWorkstation policies - -
-
- ADMX_LanmanWorkstation/Pol_CipherSuiteOrder -
-
- ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles -
-
- ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares -
-
- -### ADMX_LeakDiagnostic policies -
-
- ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy -
-
- -### ADMX_LinkLayerTopologyDiscovery policies -
-
- ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO -
-
- ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr -
-
- -### ADMX_LocationProviderAdm policies - -
-
- ADMX_LocationProviderAdm/BlockUserFromShowingAccountDetailsOnSignin -
-
- -### ADMX_Logon policies - -
-
- ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin -
-
- ADMX_Logon/DisableAcrylicBackgroundOnLogon -
-
- ADMX_Logon/DisableExplorerRunLegacy_1 -
-
- ADMX_Logon/DisableExplorerRunLegacy_2 -
-
- ADMX_Logon/DisableExplorerRunOnceLegacy_1 -
-
- ADMX_Logon/DisableExplorerRunOnceLegacy_2 -
-
- ADMX_Logon/DisableStatusMessages -
-
- ADMX_Logon/DontEnumerateConnectedUsers -
-
- ADMX_Logon/NoWelcomeTips_1 -
-
- ADMX_Logon/NoWelcomeTips_2 -
-
- ADMX_Logon/Run_1 -
-
- ADMX_Logon/Run_2 -
-
- ADMX_Logon/SyncForegroundPolicy -
-
- ADMX_Logon/UseOEMBackground -
-
- ADMX_Logon/VerboseStatus -
-
- -### ADMX_MicrosoftDefenderAntivirus policies - -
-
- ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup -
-
- ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender -
-
- ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions -
-
- ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen -
-
- ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge -
-
- ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring -
-
- ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction -
-
- ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions -
-
- ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths -
-
- ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes -
-
- ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions -
-
- ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules -
-
- ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications -
-
- ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders -
-
- ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation -
-
- ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement -
-
- ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid -
-
- ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition -
-
- ADMX_MicrosoftDefenderAntivirus/ProxyBypass -
-
- ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl -
-
- ADMX_MicrosoftDefenderAntivirus/ProxyServer -
-
- ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay -
-
- ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay -
-
- ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring -
-
- ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection -
-
- ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime -
-
- ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay -
-
- ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime -
-
- ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout -
-
- ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout -
-
- ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications -
-
- ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports -
-
- ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout -
-
- ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout -
-
- ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents -
-
- ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay -
-
- ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime -
-
- ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval -
-
- ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup -
-
- ADMX_MicrosoftDefenderAntivirus/SpynetReporting -
-
- ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting -
-
- ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction -
-
- ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString -
-
- ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress -
-
- ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification -
-
- ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown -
-
- -### ADMX_MMC policies -
-
- ADMX_MMC/MMC_ActiveXControl -
-
- ADMX_MMC/MMC_ExtendView -
-
- ADMX_MMC/MMC_LinkToWeb -
-
- ADMX_MMC/MMC_Restrict_Author -
-
- ADMX_MMC/MMC_Restrict_To_Permitted_Snapins -
-
- -### ADMX_MMCSnapins policies - -
-
- ADMX_MMCSnapins/MMC_ADMComputers_1 -
-
- ADMX_MMCSnapins/MMC_ADMComputers_2 -
-
- ADMX_MMCSnapins/MMC_ADMUsers_1 -
-
- ADMX_MMCSnapins/MMC_ADMUsers_2 -
-
- ADMX_MMCSnapins/MMC_ADSI -
-
- ADMX_MMCSnapins/MMC_ActiveDirDomTrusts -
-
- ADMX_MMCSnapins/MMC_ActiveDirSitesServices -
-
- ADMX_MMCSnapins/MMC_ActiveDirUsersComp -
-
- ADMX_MMCSnapins/MMC_AppleTalkRouting -
-
- ADMX_MMCSnapins/MMC_AuthMan -
-
- ADMX_MMCSnapins/MMC_CertAuth -
-
- ADMX_MMCSnapins/MMC_CertAuthPolSet -
-
- ADMX_MMCSnapins/MMC_Certs -
-
- ADMX_MMCSnapins/MMC_CertsTemplate -
-
- ADMX_MMCSnapins/MMC_ComponentServices -
-
- ADMX_MMCSnapins/MMC_ComputerManagement -
-
- ADMX_MMCSnapins/MMC_ConnectionSharingNAT -
-
- ADMX_MMCSnapins/MMC_DCOMCFG -
-
- ADMX_MMCSnapins/MMC_DFS -
-
- ADMX_MMCSnapins/MMC_DHCPRelayMgmt -
-
- ADMX_MMCSnapins/MMC_DeviceManager_1 -
-
- ADMX_MMCSnapins/MMC_DeviceManager_2 -
-
- ADMX_MMCSnapins/MMC_DiskDefrag -
-
- ADMX_MMCSnapins/MMC_DiskMgmt -
-
- ADMX_MMCSnapins/MMC_EnterprisePKI -
-
- ADMX_MMCSnapins/MMC_EventViewer_1 -
-
- ADMX_MMCSnapins/MMC_EventViewer_2 -
-
- ADMX_MMCSnapins/MMC_EventViewer_3 -
-
- ADMX_MMCSnapins/MMC_EventViewer_4 -
-
- ADMX_MMCSnapins/MMC_FAXService -
-
- ADMX_MMCSnapins/MMC_FailoverClusters -
-
- ADMX_MMCSnapins/MMC_FolderRedirection_1 -
-
- ADMX_MMCSnapins/MMC_FolderRedirection_2 -
-
- ADMX_MMCSnapins/MMC_FrontPageExt -
-
- ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn -
-
- ADMX_MMCSnapins/MMC_GroupPolicySnapIn -
-
- ADMX_MMCSnapins/MMC_GroupPolicyTab -
-
- ADMX_MMCSnapins/MMC_HRA -
-
- ADMX_MMCSnapins/MMC_IAS -
-
- ADMX_MMCSnapins/MMC_IASLogging -
-
- ADMX_MMCSnapins/MMC_IEMaintenance_1 -
-
- ADMX_MMCSnapins/MMC_IEMaintenance_2 -
-
- ADMX_MMCSnapins/MMC_IGMPRouting -
-
- ADMX_MMCSnapins/MMC_IIS -
-
- ADMX_MMCSnapins/MMC_IPRouting -
-
- ADMX_MMCSnapins/MMC_IPSecManage_GP -
-
- ADMX_MMCSnapins/MMC_IPXRIPRouting -
-
- ADMX_MMCSnapins/MMC_IPXRouting -
-
- ADMX_MMCSnapins/MMC_IPXSAPRouting -
-
- ADMX_MMCSnapins/MMC_IndexingService -
-
- ADMX_MMCSnapins/MMC_IpSecManage -
-
- ADMX_MMCSnapins/MMC_IpSecMonitor -
-
- ADMX_MMCSnapins/MMC_LocalUsersGroups -
-
- ADMX_MMCSnapins/MMC_LogicalMappedDrives -
-
- ADMX_MMCSnapins/MMC_NPSUI -
-
- ADMX_MMCSnapins/MMC_NapSnap -
-
- ADMX_MMCSnapins/MMC_NapSnap_GP -
-
- ADMX_MMCSnapins/MMC_Net_Framework -
-
- ADMX_MMCSnapins/MMC_OCSP -
-
- ADMX_MMCSnapins/MMC_OSPFRouting -
-
- ADMX_MMCSnapins/MMC_PerfLogsAlerts -
-
- ADMX_MMCSnapins/MMC_PublicKey -
-
- ADMX_MMCSnapins/MMC_QoSAdmission -
-
- ADMX_MMCSnapins/MMC_RAS_DialinUser -
-
- ADMX_MMCSnapins/MMC_RIPRouting -
-
- ADMX_MMCSnapins/MMC_RIS -
-
- ADMX_MMCSnapins/MMC_RRA -
-
- ADMX_MMCSnapins/MMC_RSM -
-
- ADMX_MMCSnapins/MMC_RemStore -
-
- ADMX_MMCSnapins/MMC_RemoteAccess -
-
- ADMX_MMCSnapins/MMC_RemoteDesktop -
-
- ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn -
-
- ADMX_MMCSnapins/MMC_Routing -
-
- ADMX_MMCSnapins/MMC_SCA -
-
- ADMX_MMCSnapins/MMC_SMTPProtocol -
-
- ADMX_MMCSnapins/MMC_SNMP -
-
- ADMX_MMCSnapins/MMC_ScriptsMachine_1 -
-
- ADMX_MMCSnapins/MMC_ScriptsMachine_2 -
-
- ADMX_MMCSnapins/MMC_ScriptsUser_1 -
-
- ADMX_MMCSnapins/MMC_ScriptsUser_2 -
-
- ADMX_MMCSnapins/MMC_SecuritySettings_1 -
-
- ADMX_MMCSnapins/MMC_SecuritySettings_2 -
-
- ADMX_MMCSnapins/MMC_SecurityTemplates -
-
- ADMX_MMCSnapins/MMC_SendConsoleMessage -
-
- ADMX_MMCSnapins/MMC_ServerManager -
-
- ADMX_MMCSnapins/MMC_ServiceDependencies -
-
- ADMX_MMCSnapins/MMC_Services -
-
- ADMX_MMCSnapins/MMC_SharedFolders -
-
- ADMX_MMCSnapins/MMC_SharedFolders_Ext -
-
- ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1 -
-
- ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2 -
-
- ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1 -
-
- ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2 -
-
- ADMX_MMCSnapins/MMC_SysInfo -
-
- ADMX_MMCSnapins/MMC_SysProp -
-
- ADMX_MMCSnapins/MMC_TPMManagement -
-
- ADMX_MMCSnapins/MMC_Telephony -
-
- ADMX_MMCSnapins/MMC_TerminalServices -
-
- ADMX_MMCSnapins/MMC_WMI -
-
- ADMX_MMCSnapins/MMC_WindowsFirewall -
-
- ADMX_MMCSnapins/MMC_WindowsFirewall_GP -
-
- ADMX_MMCSnapins/MMC_WiredNetworkPolicy -
-
- ADMX_MMCSnapins/MMC_WirelessMon -
-
- ADMX_MMCSnapins/MMC_WirelessNetworkPolicy -
-
- -### ADMX_MobilePCMobilityCenter policies -
-
- ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1 -
-
- ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 -
-
- -### ADMX_MobilePCPresentationSettings policies -
-
- ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1 -
-
- ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 -
-
- -### ADMX_MSAPolicy policies -
-
- ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine -
-
- -### ADMX_msched policies - -
-
- ADMX_msched/ActivationBoundaryPolicy -
-
- ADMX_msched/RandomDelayPolicy -
-
- -### ADMX_MSDT policies - -
-
- ADMX_MSDT/MsdtSupportProvider -
-
- ADMX_MSDT/MsdtToolDownloadPolicy -
-
- ADMX_MSDT/WdiScenarioExecutionPolicy -
-
- -### ADMX_MSI policies - -
-
- ADMX_MSI/AllowLockdownBrowse -
-
- ADMX_MSI/AllowLockdownMedia -
-
- ADMX_MSI/AllowLockdownPatch -
-
- ADMX_MSI/DisableAutomaticApplicationShutdown -
-
- ADMX_MSI/DisableBrowse -
-
- ADMX_MSI/DisableFlyweightPatching -
-
- ADMX_MSI/DisableLoggingFromPackage -
-
- ADMX_MSI/DisableMSI -
-
- ADMX_MSI/DisableMedia -
-
- ADMX_MSI/DisablePatch -
-
- ADMX_MSI/DisableRollback_1 -
-
- ADMX_MSI/DisableRollback_2 -
-
- ADMX_MSI/DisableSharedComponent -
-
- ADMX_MSI/MSILogging -
-
- ADMX_MSI/MSI_DisableLUAPatching -
-
- ADMX_MSI/MSI_DisablePatchUninstall -
-
- ADMX_MSI/MSI_DisableSRCheckPoints -
-
- ADMX_MSI/MSI_DisableUserInstalls -
-
- ADMX_MSI/MSI_EnforceUpgradeComponentRules -
-
- ADMX_MSI/MSI_MaxPatchCacheSize -
-
- ADMX_MSI/MsiDisableEmbeddedUI -
-
- ADMX_MSI/SafeForScripting -
-
- ADMX_MSI/SearchOrder -
-
- ADMX_MSI/TransformsSecure -
-
- -### ADMX_MsiFileRecovery policies -
-
- ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy -
-
- -### ADMX_nca policies -
-
- ADMX_nca/CorporateResources -
-
- ADMX_nca/CustomCommands -
-
- ADMX_nca/DTEs -
-
- ADMX_nca/FriendlyName -
-
- ADMX_nca/LocalNamesOn -
-
- ADMX_nca/PassiveMode -
-
- ADMX_nca/ShowUI -
-
- ADMX_nca/SupportEmail -
-
- -### ADMX_NCSI policies -
-
- ADMX_NCSI/NCSI_CorpDnsProbeContent -
-
- ADMX_NCSI/NCSI_CorpDnsProbeHost -
-
- ADMX_NCSI/NCSI_CorpSitePrefixes -
-
- ADMX_NCSI/NCSI_CorpWebProbeUrl -
-
- ADMX_NCSI/NCSI_DomainLocationDeterminationUrl -
-
- ADMX_NCSI/NCSI_GlobalDns -
-
- ADMX_NCSI/NCSI_PassivePolling -
-
- -### ADMX_Netlogon policies - -
-
- ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior -
-
- ADMX_Netlogon/Netlogon_AddressTypeReturned -
-
- ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch -
-
- ADMX_Netlogon/Netlogon_AllowNT4Crypto -
-
- ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain -
-
- ADMX_Netlogon/Netlogon_AutoSiteCoverage -
-
- ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery -
-
- ADMX_Netlogon/Netlogon_AvoidPdcOnWan -
-
- ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod -
-
- ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod -
-
- ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime -
-
- ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod -
-
- ADMX_Netlogon/Netlogon_DebugFlag -
-
- ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords -
-
- ADMX_Netlogon/Netlogon_DnsRefreshInterval -
-
- ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames -
-
- ADMX_Netlogon/Netlogon_DnsTtl -
-
- ADMX_Netlogon/Netlogon_ExpectedDialupDelay -
-
- ADMX_Netlogon/Netlogon_ForceRediscoveryInterval -
-
- ADMX_Netlogon/Netlogon_GcSiteCoverage -
-
- ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages -
-
- ADMX_Netlogon/Netlogon_LdapSrvPriority -
-
- ADMX_Netlogon/Netlogon_LdapSrvWeight -
-
- ADMX_Netlogon/Netlogon_MaximumLogFileSize -
-
- ADMX_Netlogon/Netlogon_NdncSiteCoverage -
-
- ADMX_Netlogon/Netlogon_NegativeCachePeriod -
-
- ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode -
-
- ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod -
-
- ADMX_Netlogon/Netlogon_PingUrgencyMode -
-
- ADMX_Netlogon/Netlogon_ScavengeInterval -
-
- ADMX_Netlogon/Netlogon_SiteCoverage -
-
- ADMX_Netlogon/Netlogon_SiteName -
-
- ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode -
-
- ADMX_Netlogon/Netlogon_TryNextClosestSite -
-
- ADMX_Netlogon/Netlogon_UseDynamicDns -
-
- -### ADMX_NetworkConnections policies - -
-
- ADMX_NetworkConnections/NC_AddRemoveComponents -
-
- ADMX_NetworkConnections/NC_AdvancedSettings -
-
- ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig -
-
- ADMX_NetworkConnections/NC_ChangeBindState -
-
- ADMX_NetworkConnections/NC_DeleteAllUserConnection -
-
- ADMX_NetworkConnections/NC_DeleteConnection -
-
- ADMX_NetworkConnections/NC_DialupPrefs -
-
- ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon -
-
- ADMX_NetworkConnections/NC_EnableAdminProhibits -
-
- ADMX_NetworkConnections/NC_ForceTunneling -
-
- ADMX_NetworkConnections/NC_IpStateChecking -
-
- ADMX_NetworkConnections/NC_LanChangeProperties -
-
- ADMX_NetworkConnections/NC_LanConnect -
-
- ADMX_NetworkConnections/NC_LanProperties -
-
- ADMX_NetworkConnections/NC_NewConnectionWizard -
-
- ADMX_NetworkConnections/NC_PersonalFirewallConfig -
-
- ADMX_NetworkConnections/NC_RasAllUserProperties -
-
- ADMX_NetworkConnections/NC_RasChangeProperties -
-
- ADMX_NetworkConnections/NC_RasConnect -
-
- ADMX_NetworkConnections/NC_RasMyProperties -
-
- ADMX_NetworkConnections/NC_RenameAllUserRasConnection -
-
- ADMX_NetworkConnections/NC_RenameConnection -
-
- ADMX_NetworkConnections/NC_RenameLanConnection -
-
- ADMX_NetworkConnections/NC_RenameMyRasConnection -
-
- ADMX_NetworkConnections/NC_ShowSharedAccessUI -
-
- ADMX_NetworkConnections/NC_Statistics -
-
- ADMX_NetworkConnections/NC_StdDomainUserSetLocation -
-
- -### ADMX_OfflineFiles policies - -
- ADMX_OfflineFiles/Pol_AlwaysPinSubFolders -
-
- ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1 -
-
- ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2 -
-
- ADMX_OfflineFiles/Pol_BackgroundSyncSettings -
-
- ADMX_OfflineFiles/Pol_CacheSize -
-
- ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1 -
-
- ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2 -
-
- ADMX_OfflineFiles/Pol_DefCacheSize -
-
- ADMX_OfflineFiles/Pol_Enabled -
-
- ADMX_OfflineFiles/Pol_EncryptOfflineFiles -
-
- ADMX_OfflineFiles/Pol_EventLoggingLevel_1 -
-
- ADMX_OfflineFiles/Pol_EventLoggingLevel_2 -
-
- ADMX_OfflineFiles/Pol_ExclusionListSettings -
-
- ADMX_OfflineFiles/Pol_ExtExclusionList -
-
- ADMX_OfflineFiles/Pol_GoOfflineAction_1 -
-
- ADMX_OfflineFiles/Pol_GoOfflineAction_2 -
-
- ADMX_OfflineFiles/Pol_NoCacheViewer_1 -
-
- ADMX_OfflineFiles/Pol_NoCacheViewer_2 -
-
- ADMX_OfflineFiles/Pol_NoConfigCache_1 -
-
- ADMX_OfflineFiles/Pol_NoConfigCache_2 -
-
- ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1 -
-
- ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2 -
-
- ADMX_OfflineFiles/Pol_NoPinFiles_1 -
-
- ADMX_OfflineFiles/Pol_NoPinFiles_2 -
-
- ADMX_OfflineFiles/Pol_NoReminders_1 -
-
- ADMX_OfflineFiles/Pol_NoReminders_2 -
-
- ADMX_OfflineFiles/Pol_OnlineCachingSettings -
-
- ADMX_OfflineFiles/Pol_PurgeAtLogoff -
-
- ADMX_OfflineFiles/Pol_QuickAdimPin -
-
- ADMX_OfflineFiles/Pol_ReminderFreq_1 -
-
- ADMX_OfflineFiles/Pol_ReminderFreq_2 -
-
- ADMX_OfflineFiles/Pol_ReminderInitTimeout_1 -
-
- ADMX_OfflineFiles/Pol_ReminderInitTimeout_2 -
-
- ADMX_OfflineFiles/Pol_ReminderTimeout_1 -
-
- ADMX_OfflineFiles/Pol_ReminderTimeout_2 -
-
- ADMX_OfflineFiles/Pol_SlowLinkSettings -
-
- ADMX_OfflineFiles/Pol_SlowLinkSpeed -
-
- ADMX_OfflineFiles/Pol_SyncAtLogoff_1 -
-
- ADMX_OfflineFiles/Pol_SyncAtLogoff_2 -
-
- ADMX_OfflineFiles/Pol_SyncAtLogon_1 -
-
- ADMX_OfflineFiles/Pol_SyncAtLogon_2 -
-
- ADMX_OfflineFiles/Pol_SyncAtSuspend_1 -
-
- ADMX_OfflineFiles/Pol_SyncAtSuspend_2 -
-
- ADMX_OfflineFiles/Pol_SyncOnCostedNetwork -
-
- ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1 -
-
- ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2 -
-
- -### ADMX_pca policies - -
-
- ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy -
-
- ADMX_pca/DetectDeprecatedComponentFailuresPolicy -
-
- ADMX_pca/DetectInstallFailuresPolicy -
-
- ADMX_pca/DetectUndetectedInstallersPolicy -
-
- ADMX_pca/DetectUpdateFailuresPolicy -
-
- ADMX_pca/DisablePcaUIPolicy -
-
- ADMX_pca/DetectBlockedDriversPolicy -
-
- -### ADMX_PeerToPeerCaching policies - -
-
- ADMX_PeerToPeerCaching/EnableWindowsBranchCache -
-
- ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed -
-
- ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted -
-
- ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery -
-
- ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers -
-
- ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB -
-
- ADMX_PeerToPeerCaching/SetCachePercent -
-
- ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge -
-
- ADMX_PeerToPeerCaching/SetDowngrading -
-
- -### ADMX_PenTraining policies - -
-
- ADMX_PenTraining/PenTrainingOff_1 -
-
- ADMX_PenTraining/PenTrainingOff_2 -
-
- -### ADMX_PerformanceDiagnostics policies - -
-
- ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1 -
-
- ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2 -
-
- ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3 -
-
- ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4 -
-
- -### ADMX_Power policies - -
-
- ADMX_Power/ACConnectivityInStandby_2 -
-
- ADMX_Power/ACCriticalSleepTransitionsDisable_2 -
-
- ADMX_Power/ACStartMenuButtonAction_2 -
-
- ADMX_Power/AllowSystemPowerRequestAC -
-
- ADMX_Power/AllowSystemPowerRequestDC -
-
- ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC -
-
- ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC -
-
- ADMX_Power/CustomActiveSchemeOverride_2 -
-
- ADMX_Power/DCBatteryDischargeAction0_2 -
-
- ADMX_Power/DCBatteryDischargeAction1_2 -
-
- ADMX_Power/DCBatteryDischargeLevel0_2 -
-
- ADMX_Power/DCBatteryDischargeLevel1UINotification_2 -
-
- ADMX_Power/DCBatteryDischargeLevel1_2 -
-
- ADMX_Power/DCConnectivityInStandby_2 -
-
- ADMX_Power/DCCriticalSleepTransitionsDisable_2 -
-
- ADMX_Power/DCStartMenuButtonAction_2 -
-
- ADMX_Power/DiskACPowerDownTimeOut_2 -
-
- ADMX_Power/DiskDCPowerDownTimeOut_2 -
-
- ADMX_Power/Dont_PowerOff_AfterShutdown -
-
- ADMX_Power/EnableDesktopSlideShowAC -
-
- ADMX_Power/EnableDesktopSlideShowDC -
-
- ADMX_Power/InboxActiveSchemeOverride_2 -
-
- ADMX_Power/PW_PromptPasswordOnResume -
-
- ADMX_Power/PowerThrottlingTurnOff -
-
- ADMX_Power/ReserveBatteryNotificationLevel -
-
- -### ADMX_PowerShellExecutionPolicy policies - -
-
- ADMX_PowerShellExecutionPolicy/EnableModuleLogging -
-
- ADMX_PowerShellExecutionPolicy/EnableScripts -
-
- ADMX_PowerShellExecutionPolicy/EnableTranscripting -
-
- ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath -
-
- -### ADMX_PreviousVersions policies - -
-
- ADMX_PreviousVersions/DisableLocalPage_1 -
-
- ADMX_PreviousVersions/DisableLocalPage_2 -
-
- ADMX_PreviousVersions/DisableRemotePage_1 -
-
- ADMX_PreviousVersions/DisableRemotePage_2 -
-
- ADMX_PreviousVersions/HideBackupEntries_1 -
-
- ADMX_PreviousVersions/HideBackupEntries_2 -
-
- ADMX_PreviousVersions/DisableLocalRestore_1 -
-
- ADMX_PreviousVersions/DisableLocalRestore_2 -
-
- -### ADMX_Printing policies - -
-
- ADMX_Printing/AllowWebPrinting -
-
- ADMX_Printing/ApplicationDriverIsolation -
-
- ADMX_Printing/CustomizedSupportUrl -
-
- ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate -
-
- ADMX_Printing/DomainPrinters -
-
- ADMX_Printing/DownlevelBrowse -
-
- ADMX_Printing/EMFDespooling -
-
- ADMX_Printing/ForceSoftwareRasterization -
-
- ADMX_Printing/IntranetPrintersUrl -
-
- ADMX_Printing/KMPrintersAreBlocked -
-
- ADMX_Printing/LegacyDefaultPrinterMode -
-
- ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS -
-
- ADMX_Printing/NoDeletePrinter -
-
- ADMX_Printing/NonDomainPrinters -
-
- ADMX_Printing/PackagePointAndPrintOnly -
-
- ADMX_Printing/PackagePointAndPrintOnly_Win7 -
-
- ADMX_Printing/PackagePointAndPrintServerList -
-
- ADMX_Printing/PackagePointAndPrintServerList_Win7 -
-
- ADMX_Printing/PhysicalLocation -
-
- ADMX_Printing/PhysicalLocationSupport -
-
- ADMX_Printing/PrintDriverIsolationExecutionPolicy -
-
- ADMX_Printing/PrintDriverIsolationOverrideCompat -
-
- ADMX_Printing/PrinterDirectorySearchScope -
-
- ADMX_Printing/PrinterServerThread -
-
- ADMX_Printing/ShowJobTitleInEventLogs -
-
- ADMX_Printing/V4DriverDisallowPrinterExtension -
-
- -### ADMX_Printing2 policies - -
-
- ADMX_Printing2/AutoPublishing -
-
- ADMX_Printing2/ImmortalPrintQueue -
-
- ADMX_Printing2/PruneDownlevel -
-
- ADMX_Printing2/PruningInterval -
-
- ADMX_Printing2/PruningPriority -
-
- ADMX_Printing2/PruningRetries -
-
- ADMX_Printing2/PruningRetryLog -
-
- ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint -
-
- ADMX_Printing2/VerifyPublishedState -
-
- -### ADMX_Programs policies - -
-
- ADMX_Programs/NoDefaultPrograms -
-
- ADMX_Programs/NoGetPrograms -
-
- ADMX_Programs/NoInstalledUpdates -
-
- ADMX_Programs/NoProgramsAndFeatures -
-
- ADMX_Programs/NoProgramsCPL -
-
- ADMX_Programs/NoWindowsFeatures -
-
- ADMX_Programs/NoWindowsMarketplace -
-
- -### ADMX_Reliability policies - -
-
- ADMX_Reliability/EE_EnablePersistentTimeStamp -
-
- ADMX_Reliability/PCH_ReportShutdownEvents -
-
- ADMX_Reliability/ShutdownEventTrackerStateFile -
-
- ADMX_Reliability/ShutdownReason -
-
- -### ADMX_RemoteAssistance policies - -
-
- ADMX_RemoteAssistance/RA_EncryptedTicketOnly -
-
- ADMX_RemoteAssistance/RA_Optimize_Bandwidth -
-
- -### ADMX_RemovableStorage policies - -
-
- ADMX_RemovableStorage/AccessRights_RebootTime_1 -
-
- ADMX_RemovableStorage/AccessRights_RebootTime_2 -
-
- ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 -
-
- ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 -
-
- ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 -
-
- ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 -
-
- ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 -
-
- ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 -
-
- ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 -
-
- ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 -
-
- ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 -
-
- ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 -
-
- ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 -
-
- ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 -
-
- ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 -
-
- ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 -
-
- ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 -
-
- ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 -
-
- ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 -
-
- ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 -
-
- ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 -
-
- ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 -
-
- ADMX_RemovableStorage/Removable_Remote_Allow_Access -
-
- ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 -
-
- ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 -
-
- ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 -
-
- ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 -
-
- ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 -
-
- ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 -
-
- ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 -
-
- ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 -
-
- ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 -
-
- -### ADMX_RPC policies - -
-
- ADMX_RPC/RpcExtendedErrorInformation -
-
- ADMX_RPC/RpcIgnoreDelegationFailure -
-
- ADMX_RPC/RpcMinimumHttpConnectionTimeout -
-
- ADMX_RPC/RpcStateInformation -
-
- -### ADMX_Scripts policies - -
-
- ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled -
-
- ADMX_Scripts/MaxGPOScriptWaitPolicy -
-
- ADMX_Scripts/Run_Computer_PS_Scripts_First -
-
- ADMX_Scripts/Run_Legacy_Logon_Script_Hidden -
-
- ADMX_Scripts/Run_Logoff_Script_Visible -
-
- ADMX_Scripts/Run_Logon_Script_Sync_1 -
-
- ADMX_Scripts/Run_Logon_Script_Sync_2 -
-
- ADMX_Scripts/Run_Logon_Script_Visible -
-
- ADMX_Scripts/Run_Shutdown_Script_Visible -
-
- ADMX_Scripts/Run_Startup_Script_Sync -
-
- ADMX_Scripts/Run_Startup_Script_Visible -
-
- ADMX_Scripts/Run_User_PS_Scripts_First -
-
- -### ADMX_sdiagschd policies - -
-
- ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy -
-
- -### ADMX_sdiageng policies - -
-
- ADMX_sdiageng/BetterWhenConnected -
-
- ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy -
-
- ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy -
-
- -### ADMX_Securitycenter policies - -
-
- ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain -
-
- -### ADMX_Sensors policies - -
-
- ADMX_Sensors/DisableLocationScripting_1 -
-
- ADMX_Sensors/DisableLocationScripting_2 -
-
- ADMX_Sensors/DisableLocation_1 -
-
- ADMX_Sensors/DisableSensors_1 -
-
- ADMX_Sensors/DisableSensors_2 -
-
- -### ADMX_ServerManager policies - -
-
- ADMX_ServerManager/Do_not_display_Manage_Your_Server_page -
-
- ADMX_ServerManager/ServerManagerAutoRefreshRate -
-
- ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks -
-
- ADMX_ServerManager/DoNotLaunchServerManager -
-
- -### ADMX_Servicing policies - -
-
- ADMX_Servicing/Servicing -
-
- -### ADMX_SettingSync policies - -
-
- ADMX_SettingSync/DisableAppSyncSettingSync -
-
- ADMX_SettingSync/DisableApplicationSettingSync -
-
- ADMX_SettingSync/DisableCredentialsSettingSync -
-
- ADMX_SettingSync/DisableDesktopThemeSettingSync -
-
- ADMX_SettingSync/DisablePersonalizationSettingSync -
-
- ADMX_SettingSync/DisableSettingSync -
-
- ADMX_SettingSync/DisableStartLayoutSettingSync -
-
- ADMX_SettingSync/DisableSyncOnPaidNetwork -
-
- ADMX_SettingSync/DisableWindowsSettingSync -
-
- -### ADMX_SharedFolders policies - -
-
- ADMX_SharedFolders/PublishDfsRoots -
-
- ADMX_SharedFolders/PublishSharedFolders -
-
- -### ADMX_Sharing policies - -
-
- ADMX_Sharing/NoInplaceSharing -
-
- -### ADMX_ShellCommandPromptRegEditTools policies - -
-
- ADMX_ShellCommandPromptRegEditTools/DisallowApps -
-
- ADMX_ShellCommandPromptRegEditTools/DisableRegedit -
-
- ADMX_ShellCommandPromptRegEditTools/DisableCMD -
-
- ADMX_ShellCommandPromptRegEditTools/RestrictApps -
-
- -### ADMX_Smartcard policies - -
-
- ADMX_Smartcard/AllowCertificatesWithNoEKU -
-
- ADMX_Smartcard/AllowIntegratedUnblock -
-
- ADMX_Smartcard/AllowSignatureOnlyKeys -
-
- ADMX_Smartcard/AllowTimeInvalidCertificates -
-
- ADMX_Smartcard/CertPropEnabledString -
-
- ADMX_Smartcard/CertPropRootCleanupString -
-
- ADMX_Smartcard/CertPropRootEnabledString -
-
- ADMX_Smartcard/DisallowPlaintextPin -
-
- ADMX_Smartcard/EnumerateECCCerts -
-
- ADMX_Smartcard/FilterDuplicateCerts -
-
- ADMX_Smartcard/ForceReadingAllCertificates -
-
- ADMX_Smartcard/IntegratedUnblockPromptString -
-
- ADMX_Smartcard/ReverseSubject -
-
- ADMX_Smartcard/SCPnPEnabled -
-
- ADMX_Smartcard/SCPnPNotification -
-
- ADMX_Smartcard/X509HintsNeeded -
-
- -### ADMX_Snmp policies - -
-
- ADMX_Snmp/SNMP_Communities -
-
- ADMX_Snmp/SNMP_PermittedManagers -
-
- ADMX_Snmp/SNMP_Traps_Public -
-
-
-
- -### ADMX_StartMenu policies - -
-
- ADMX_StartMenu/AddSearchInternetLinkInStartMenu -
-
- ADMX_StartMenu/ClearRecentDocsOnExit -
-
- ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu -
-
- ADMX_StartMenu/ClearTilesOnExit -
-
- ADMX_StartMenu/DesktopAppsFirstInAppsView -
-
- ADMX_StartMenu/DisableGlobalSearchOnAppsView -
-
- ADMX_StartMenu/ForceStartMenuLogOff -
-
- ADMX_StartMenu/GoToDesktopOnSignIn -
-
- ADMX_StartMenu/GreyMSIAds -
-
- ADMX_StartMenu/HidePowerOptions -
-
- ADMX_StartMenu/Intellimenus -
-
- ADMX_StartMenu/LockTaskbar -
-
- ADMX_StartMenu/MemCheckBoxInRunDlg -
-
- ADMX_StartMenu/NoAutoTrayNotify -
-
- ADMX_StartMenu/NoBalloonTip -
-
- ADMX_StartMenu/NoChangeStartMenu -
-
- ADMX_StartMenu/NoClose -
-
- ADMX_StartMenu/NoCommonGroups -
-
- ADMX_StartMenu/NoFavoritesMenu -
-
- ADMX_StartMenu/NoFind -
-
- ADMX_StartMenu/NoGamesFolderOnStartMenu -
-
- ADMX_StartMenu/NoHelp -
-
- ADMX_StartMenu/NoInstrumentation -
-
- ADMX_StartMenu/NoMoreProgramsList -
-
- ADMX_StartMenu/NoNetAndDialupConnect -
-
- ADMX_StartMenu/NoPinnedPrograms -
-
- ADMX_StartMenu/NoRecentDocsMenu -
-
- ADMX_StartMenu/NoResolveSearch -
-
- ADMX_StartMenu/NoResolveTrack -
-
- ADMX_StartMenu/NoRun -
-
- ADMX_StartMenu/NoSMConfigurePrograms -
-
- ADMX_StartMenu/NoSMMyDocuments -
-
- ADMX_StartMenu/NoSMMyMusic -
-
- ADMX_StartMenu/NoSMMyNetworkPlaces -
-
- ADMX_StartMenu/NoSMMyPictures -
-
- ADMX_StartMenu/NoSearchCommInStartMenu -
-
- ADMX_StartMenu/NoSearchComputerLinkInStartMenu -
-
- ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu -
-
- ADMX_StartMenu/NoSearchFilesInStartMenu -
-
- ADMX_StartMenu/NoSearchInternetInStartMenu -
-
- ADMX_StartMenu/NoSearchProgramsInStartMenu -
-
- ADMX_StartMenu/NoSetFolders -
-
- ADMX_StartMenu/NoSetTaskbar -
-
- ADMX_StartMenu/NoStartMenuDownload -
-
- ADMX_StartMenu/NoStartMenuHomegroup -
-
- ADMX_StartMenu/NoStartMenuRecordedTV -
-
- ADMX_StartMenu/NoStartMenuSubFolders -
-
- ADMX_StartMenu/NoStartMenuVideos -
-
- ADMX_StartMenu/NoStartPage -
-
- ADMX_StartMenu/NoTaskBarClock -
-
- ADMX_StartMenu/NoTaskGrouping -
-
- ADMX_StartMenu/NoToolbarsOnTaskbar -
-
- ADMX_StartMenu/NoTrayContextMenu -
-
- ADMX_StartMenu/NoTrayItemsDisplay -
-
- ADMX_StartMenu/NoUninstallFromStart -
-
- ADMX_StartMenu/NoUserFolderOnStartMenu -
-
- ADMX_StartMenu/NoUserNameOnStartMenu -
-
- ADMX_StartMenu/NoWindowsUpdate -
-
- ADMX_StartMenu/PowerButtonAction -
-
- ADMX_StartMenu/QuickLaunchEnabled -
-
- ADMX_StartMenu/RemoveUnDockPCButton -
-
- ADMX_StartMenu/ShowAppsViewOnStart -
-
- ADMX_StartMenu/ShowRunAsDifferentUserInStart -
-
- ADMX_StartMenu/ShowRunInStartMenu -
-
- ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey -
-
- ADMX_StartMenu/StartMenuLogOff -
-
- ADMX_StartMenu/StartPinAppsWhenInstalled -
-
- -### ADMX_SystemRestore policies - -
-
- ADMX_SystemRestore/SR_DisableConfig -
-
- -### ADMX_TabletShell policies - -
-
- ADMX_TabletShell/DisableInkball_1 -
-
- ADMX_TabletShell/DisableNoteWriterPrinting_1 -
-
- -### ADMX_Taskbar policies - -
-
- ADMX_Taskbar/DisableNotificationCenter -
-
- ADMX_Taskbar/EnableLegacyBalloonNotifications -
-
- ADMX_Taskbar/HideSCAHealth -
-
- ADMX_Taskbar/HideSCANetwork -
-
- ADMX_Taskbar/HideSCAPower -
-
- ADMX_Taskbar/HideSCAVolume -
-
- ADMX_Taskbar/NoBalloonFeatureAdvertisements -
-
- ADMX_Taskbar/NoPinningStoreToTaskbar -
-
- ADMX_Taskbar/NoPinningToDestinations -
-
- ADMX_Taskbar/NoPinningToTaskbar -
-
- ADMX_Taskbar/NoRemoteDestinations -
-
- ADMX_Taskbar/NoSystraySystemPromotion -
-
- ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar -
-
- ADMX_Taskbar/TaskbarLockAll -
-
- ADMX_Taskbar/TaskbarNoAddRemoveToolbar -
-
- ADMX_Taskbar/TaskbarNoDragToolbar -
-
- ADMX_Taskbar/TaskbarNoMultimon -
-
- ADMX_Taskbar/TaskbarNoNotification -
-
- ADMX_Taskbar/TaskbarNoPinnedList -
-
- ADMX_Taskbar/TaskbarNoRedock -
-
- ADMX_Taskbar/TaskbarNoResize -
-
- ADMX_Taskbar/TaskbarNoThumbnail -
-
- -### ADMX_tcpip policies - -
-
- ADMX_tcpip/6to4_Router_Name -
-
- ADMX_tcpip/6to4_Router_Name_Resolution_Interval -
-
- ADMX_tcpip/6to4_State -
-
- ADMX_tcpip/IPHTTPS_ClientState -
-
- ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State -
-
- ADMX_tcpip/ISATAP_Router_Name -
-
- ADMX_tcpip/ISATAP_State -
-
- ADMX_tcpip/Teredo_Client_Port -
-
- ADMX_tcpip/Teredo_Default_Qualified -
-
- ADMX_tcpip/Teredo_Refresh_Rate -
-
- ADMX_tcpip/Teredo_Server_Name -
-
- ADMX_tcpip/Teredo_State -
-
- ADMX_tcpip/Windows_Scaling_Heuristics_State -
-
- -### ADMX_TerminalServer policies - -
-
- ADMX_TerminalServer/TS_AUTO_RECONNECT -
-
- ADMX_TerminalServer/TS_CAMERA_REDIRECTION -
-
- ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY -
-
- ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 -
-
- ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 -
-
- ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 -
-
- ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 -
-
- ADMX_TerminalServer/TS_CLIENT_AUDIO -
-
- ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE -
-
- ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY -
-
- ADMX_TerminalServer/TS_CLIENT_CLIPBOARD -
-
- ADMX_TerminalServer/TS_CLIENT_COM -
-
- ADMX_TerminalServer/TS_CLIENT_DEFAULT_M -
-
- ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE -
-
- ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 -
-
- ADMX_TerminalServer/TS_CLIENT_LPT -
-
- ADMX_TerminalServer/TS_CLIENT_PNP -
-
- ADMX_TerminalServer/TS_CLIENT_PRINTER -
-
- ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 -
-
- ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 -
-
- ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP -
-
- ADMX_TerminalServer/TS_COLORDEPTH -
-
- ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES -
-
- ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER -
-
- ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU -
-
- ADMX_TerminalServer/TS_EASY_PRINT -
-
- ADMX_TerminalServer/TS_EASY_PRINT_User -
-
- ADMX_TerminalServer/TS_EnableVirtualGraphics -
-
- ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE -
-
- ADMX_TerminalServer/TS_FORCIBLE_LOGOFF -
-
- ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE -
-
- ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD -
-
- ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER -
-
- ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY -
-
- ADMX_TerminalServer/TS_KEEP_ALIVE -
-
- ADMX_TerminalServer/TS_LICENSE_SECGROUP -
-
- ADMX_TerminalServer/TS_LICENSE_SERVERS -
-
- ADMX_TerminalServer/TS_LICENSE_TOOLTIP -
-
- ADMX_TerminalServer/TS_LICENSING_MODE -
-
- ADMX_TerminalServer/TS_MAX_CON_POLICY -
-
- ADMX_TerminalServer/TS_MAXDISPLAYRES -
-
- ADMX_TerminalServer/TS_MAXMONITOR -
-
- ADMX_TerminalServer/TS_NoDisconnectMenu -
-
- ADMX_TerminalServer/TS_NoSecurityMenu -
-
- ADMX_TerminalServer/TS_PreventLicenseUpgrade -
-
- ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP -
-
- ADMX_TerminalServer/TS_RADC_DefaultConnection -
-
- ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration -
-
- ADMX_TerminalServer/TS_RemoteControl_1 -
-
- ADMX_TerminalServer/TS_RemoteControl_2 -
-
- ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics -
-
- ADMX_TerminalServer/TS_SD_ClustName -
-
- ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS -
-
- ADMX_TerminalServer/TS_SD_Loc -
-
- ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY -
-
- ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT -
-
- ADMX_TerminalServer/TS_SELECT_TRANSPORT -
-
- ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP -
-
- ADMX_TerminalServer/TS_SERVER_AUTH -
-
- ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED -
-
- ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED -
-
- ADMX_TerminalServer/TS_SERVER_COMPRESSOR -
-
- ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY -
-
- ADMX_TerminalServer/TS_SERVER_LEGACY_RFX -
-
- ADMX_TerminalServer/TS_SERVER_PROFILE -
-
- ADMX_TerminalServer/TS_SERVER_VISEXP -
-
- ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER -
-
- ADMX_TerminalServer/TS_Session_End_On_Limit_1 -
-
- ADMX_TerminalServer/TS_Session_End_On_Limit_2 -
-
- ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 -
-
- ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 -
- ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 - -
- ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 -
-
- ADMX_TerminalServer/TS_SINGLE_SESSION -
-
- ADMX_TerminalServer/TS_SMART_CARD -
-
- ADMX_TerminalServer/TS_START_PROGRAM_1 -
-
- ADMX_TerminalServer/TS_START_PROGRAM_2 -
-
- ADMX_TerminalServer/TS_TEMP_DELETE -
-
- ADMX_TerminalServer/TS_TEMP_PER_SESSION -
-
- ADMX_TerminalServer/TS_TIME_ZONE -
-
- ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY -
-
- ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP -
-
- ADMX_TerminalServer/TS_UIA -
-
- ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE -
-
- ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY -
-
- ADMX_TerminalServer/TS_USER_HOME -
-
- ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES -
-
- ADMX_TerminalServer/TS_USER_PROFILES -
-
- -### ADMX_Thumbnails policies - -
-
- ADMX_Thumbnails/DisableThumbnails -
-
- ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders -
-
- ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders -
-
- -### ADMX_TouchInput policies - -
-
- ADMX_TouchInput/TouchInputOff_1 -
-
- ADMX_TouchInput/TouchInputOff_2 -
-
- ADMX_TouchInput/PanningEverywhereOff_1 -
-
- ADMX_TouchInput/PanningEverywhereOff_2 -
-
- -### ADMX_TPM policies - -
-
- ADMX_TPM/BlockedCommandsList_Name -
-
- ADMX_TPM/ClearTPMIfNotReady_Name -
-
- ADMX_TPM/IgnoreDefaultList_Name -
-
- ADMX_TPM/IgnoreLocalList_Name -
-
- ADMX_TPM/OSManagedAuth_Name -
-
- ADMX_TPM/OptIntoDSHA_Name -
-
- ADMX_TPM/StandardUserAuthorizationFailureDuration_Name -
-
- ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name -
-
- ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name -
-
- ADMX_TPM/UseLegacyDAP_Name -
-
- -### ADMX_UserExperienceVirtualization policies - -
-
- ADMX_UserExperienceVirtualization/Calculator -
-
- ADMX_UserExperienceVirtualization/ConfigureSyncMethod -
-
- ADMX_UserExperienceVirtualization/ConfigureVdi -
-
- ADMX_UserExperienceVirtualization/ContactITDescription -
-
- ADMX_UserExperienceVirtualization/ContactITUrl -
-
- ADMX_UserExperienceVirtualization/DisableWin8Sync -
-
- ADMX_UserExperienceVirtualization/DisableWindowsOSSettings -
-
- ADMX_UserExperienceVirtualization/EnableUEV -
-
- ADMX_UserExperienceVirtualization/Finance -
-
- ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled -
-
- ADMX_UserExperienceVirtualization/Games -
-
- ADMX_UserExperienceVirtualization/InternetExplorer8 -
-
- ADMX_UserExperienceVirtualization/InternetExplorer9 -
-
- ADMX_UserExperienceVirtualization/InternetExplorer10 -
-
- ADMX_UserExperienceVirtualization/InternetExplorer11 -
-
- ADMX_UserExperienceVirtualization/InternetExplorerCommon -
-
- ADMX_UserExperienceVirtualization/Maps -
-
- ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013 -
-
- ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016 -
-
- ADMX_UserExperienceVirtualization/Music -
-
- ADMX_UserExperienceVirtualization/News -
-
- ADMX_UserExperienceVirtualization/Notepad -
-
- ADMX_UserExperienceVirtualization/Reader -
-
- ADMX_UserExperienceVirtualization/RepositoryTimeout -
-
- ADMX_UserExperienceVirtualization/SettingsStoragePath -
-
- ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath -
-
- ADMX_UserExperienceVirtualization/Sports -
-
- ADMX_UserExperienceVirtualization/SyncEnabled -
-
- ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork -
-
- ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming -
-
- ADMX_UserExperienceVirtualization/SyncProviderPingEnabled -
-
- ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps -
-
- ADMX_UserExperienceVirtualization/Travel -
-
- ADMX_UserExperienceVirtualization/TrayIconEnabled -
-
- ADMX_UserExperienceVirtualization/Video -
-
- ADMX_UserExperienceVirtualization/Weather -
-
- ADMX_UserExperienceVirtualization/Wordpad -
-
- -### ADMX_UserProfiles policies - -
-
- ADMX_UserProfiles/CleanupProfiles -
-
- ADMX_UserProfiles/DontForceUnloadHive -
-
- ADMX_UserProfiles/LeaveAppMgmtData -
-
- ADMX_UserProfiles/LimitSize -
-
- ADMX_UserProfiles/ProfileErrorAction -
-
- ADMX_UserProfiles/SlowLinkTimeOut -
-
- ADMX_UserProfiles/USER_HOME -
-
- ADMX_UserProfiles/UserInfoAccessAction -
-
- -### ADMX_W32Time policies - -
-
- ADMX_W32Time/W32TIME_POLICY_CONFIG -
-
- ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT -
-
- ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT -
-
- ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER -
-
- -### ADMX_WCM policies - -
-
- ADMX_WCM/WCM_DisablePowerManagement -
-
- ADMX_WCM/WCM_EnableSoftDisconnect -
-
- ADMX_WCM/WCM_MinimizeConnections -
-
- -### ADMX_WDI Policies - -
-
- ADMX_WDI/WdiDpsScenarioExecutionPolicy -
-
- ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy -
-
- -### ADMX_WinCal policies - -
-
- ADMX_WinCal/TurnOffWinCal_1 -
-
- ADMX_WinCal/TurnOffWinCal_2 -
-
- -### ADMX_WindowsConnectNow policies - -
-
- ADMX_WindowsConnectNow/WCN_DisableWcnUi_1 -
-
- ADMX_WindowsConnectNow/WCN_DisableWcnUi_2 -
-
- ADMX_WindowsConnectNow/WCN_EnableRegistrar -
-
- - -### ADMX_WindowsExplorer policies - -
-
- ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS -
-
- ADMX_WindowsExplorer/ClassicShell -
-
- ADMX_WindowsExplorer/ConfirmFileDelete -
-
- ADMX_WindowsExplorer/DefaultLibrariesLocation -
-
- ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage -
-
- ADMX_WindowsExplorer/DisableIndexedLibraryExperience -
-
- ADMX_WindowsExplorer/DisableKnownFolders -
-
- ADMX_WindowsExplorer/DisableSearchBoxSuggestions -
-
- ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath -
-
- ADMX_WindowsExplorer/EnableSmartScreen -
-
- ADMX_WindowsExplorer/EnforceShellExtensionSecurity -
-
- ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized -
-
- ADMX_WindowsExplorer/HideContentViewModeSnippets -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted -
-
- ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown -
-
- ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo -
-
- ADMX_WindowsExplorer/MaxRecentDocs -
-
- ADMX_WindowsExplorer/NoBackButton -
-
- ADMX_WindowsExplorer/NoCDBurning -
-
- ADMX_WindowsExplorer/NoCacheThumbNailPictures -
-
- ADMX_WindowsExplorer/NoChangeAnimation -
-
- ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators -
-
- ADMX_WindowsExplorer/NoDFSTab -
-
- ADMX_WindowsExplorer/NoDrives -
-
- ADMX_WindowsExplorer/NoEntireNetwork -
-
- ADMX_WindowsExplorer/NoFileMRU -
-
- ADMX_WindowsExplorer/NoFileMenu -
-
- ADMX_WindowsExplorer/NoFolderOptions -
-
- ADMX_WindowsExplorer/NoHardwareTab -
-
- ADMX_WindowsExplorer/NoManageMyComputerVerb -
-
- ADMX_WindowsExplorer/NoMyComputerSharedDocuments -
-
- ADMX_WindowsExplorer/NoNetConnectDisconnect -
-
- ADMX_WindowsExplorer/NoNewAppAlert -
-
- ADMX_WindowsExplorer/NoPlacesBar -
-
- ADMX_WindowsExplorer/NoRecycleFiles -
-
- ADMX_WindowsExplorer/NoRunAsInstallPrompt -
-
- ADMX_WindowsExplorer/NoSearchInternetTryHarderButton -
-
- ADMX_WindowsExplorer/NoSecurityTab -
-
- ADMX_WindowsExplorer/NoShellSearchButton -
-
- ADMX_WindowsExplorer/NoStrCmpLogical -
-
- ADMX_WindowsExplorer/NoViewContextMenu -
-
- ADMX_WindowsExplorer/NoViewOnDrive -
-
- ADMX_WindowsExplorer/NoWindowsHotKeys -
-
- ADMX_WindowsExplorer/NoWorkgroupContents -
-
- ADMX_WindowsExplorer/PlacesBar -
-
- ADMX_WindowsExplorer/PromptRunasInstallNetPath -
-
- ADMX_WindowsExplorer/RecycleBinSize -
-
- ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 -
-
- ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 -
-
- ADMX_WindowsExplorer/ShowHibernateOption -
-
- ADMX_WindowsExplorer/ShowSleepOption -
-
- ADMX_WindowsExplorer/TryHarderPinnedLibrary -
-
- ADMX_WindowsExplorer/TryHarderPinnedOpenSearch -
-
- -### ADMX_WindowsMediaDRM policies - -
-
- ADMX_WindowsMediaDRM/DisableOnline -
-
- -### ADMX_WindowsMediaPlayer policies - -
-
- ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings -
-
- ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings -
-
- ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings -
-
- ADMX_WindowsMediaPlayer/DisableAutoUpdate -
-
- ADMX_WindowsMediaPlayer/DisableNetworkSettings -
-
- ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration -
-
- ADMX_WindowsMediaPlayer/DoNotShowAnchor -
-
- ADMX_WindowsMediaPlayer/DontUseFrameInterpolation -
-
- ADMX_WindowsMediaPlayer/EnableScreenSaver -
-
- ADMX_WindowsMediaPlayer/HidePrivacyTab -
-
- ADMX_WindowsMediaPlayer/HideSecurityTab -
-
- ADMX_WindowsMediaPlayer/NetworkBuffering -
-
- ADMX_WindowsMediaPlayer/PolicyCodecUpdate -
-
- ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval -
-
- ADMX_WindowsMediaPlayer/PreventLibrarySharing -
-
- ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval -
-
- ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut -
-
- ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval -
-
- ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut -
-
- ADMX_WindowsMediaPlayer/SkinLockDown -
-
- ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols -
-
- - -### ADMX_WindowsRemoteManagement policies - -
-
- ADMX_WindowsRemoteManagement/DisallowKerberos_1 -
-
- ADMX_WindowsRemoteManagement/DisallowKerberos_2 -
-
- -### ADMX_WindowsStore policies - -
-
- ADMX_WindowsStore/DisableAutoDownloadWin8 -
-
- ADMX_WindowsStore/DisableOSUpgrade_1 -
-
- ADMX_WindowsStore/DisableOSUpgrade_2 -
-
- ADMX_WindowsStore/RemoveWindowsStore_1 -
-
- ADMX_WindowsStore/RemoveWindowsStore_2 -
-
- -### ADMX_WinInit policies - -
-
- ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription -
-
- ADMX_WinInit/Hiberboot -
-
- ADMX_WinInit/ShutdownTimeoutHungSessionsDescription -
-
- -### ADMX_WinLogon policies - -
-
- ADMX_WinLogon/CustomShell -
-
- ADMX_WinLogon/DisplayLastLogonInfoDescription -
-
- ADMX_WinLogon/LogonHoursNotificationPolicyDescription -
-
- ADMX_WinLogon/LogonHoursPolicyDescription -
-
- ADMX_WinLogon/ReportCachedLogonPolicyDescription -
-
- ADMX_WinLogon/SoftwareSASGeneration -
-
- -### ADMX_Winsrv policies - -
-
- ADMX_Winsrv/AllowBlockingAppsAtShutdown -
-
- -### ADMX_wlansvc policies - -
-
- ADMX_wlansvc/SetCost -
-
- ADMX_wlansvc/SetPINEnforced -
-
- ADMX_wlansvc/SetPINPreferred -
-
- -### ADMX_WordWheel policies - -
-
- ADMX_WordWheel/CustomSearch -
-
- -### ADMX_WorkFoldersClient policies - -
-
- ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker -
-
- ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders -
-
- ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders -
-
- -### ADMX_WPN policies - -
-
- ADMX_WPN/NoCallsDuringQuietHours -
-
- ADMX_WPN/NoLockScreenToastNotification -
-
- ADMX_WPN/NoQuietHours -
-
- ADMX_WPN/NoToastNotification -
-
- ADMX_WPN/QuietHoursDailyBeginMinute -
-
- ADMX_WPN/QuietHoursDailyEndMinute -
-
- -### ApplicationDefaults policies - -
-
- ApplicationDefaults/DefaultAssociationsConfiguration -
-
- ApplicationDefaults/EnableAppUriHandlers -
-
- -### ApplicationManagement policies - -
-
- ApplicationManagement/AllowAllTrustedApps -
-
- ApplicationManagement/AllowAppStoreAutoUpdate -
-
- ApplicationManagement/AllowDeveloperUnlock -
-
- ApplicationManagement/AllowGameDVR -
-
- ApplicationManagement/AllowSharedUserAppData -
-
- ApplicationManagement/BlockNonAdminUserInstall -
-
- ApplicationManagement/DisableStoreOriginatedApps -
-
- ApplicationManagement/LaunchAppAfterLogOn -
-
- ApplicationManagement/MSIAllowUserControlOverInstall -
-
- ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges -
-
- ApplicationManagement/RequirePrivateStoreOnly -
-
- ApplicationManagement/RestrictAppDataToSystemVolume -
-
- ApplicationManagement/RestrictAppToSystemVolume -
-
- ApplicationManagement/ScheduleForceRestartForUpdateFailures -
-
- -### AppRuntime policies - -
-
- AppRuntime/AllowMicrosoftAccountsToBeOptional -
-
- -### AppVirtualization policies - -
-
- AppVirtualization/AllowAppVClient -
-
- AppVirtualization/AllowDynamicVirtualization -
-
- AppVirtualization/AllowPackageCleanup -
-
- AppVirtualization/AllowPackageScripts -
-
- AppVirtualization/AllowPublishingRefreshUX -
-
- AppVirtualization/AllowReportingServer -
-
- AppVirtualization/AllowRoamingFileExclusions -
-
- AppVirtualization/AllowRoamingRegistryExclusions -
-
- AppVirtualization/AllowStreamingAutoload -
-
- AppVirtualization/ClientCoexistenceAllowMigrationmode -
-
- AppVirtualization/IntegrationAllowRootGlobal -
-
- AppVirtualization/IntegrationAllowRootUser -
-
- AppVirtualization/PublishingAllowServer1 -
-
- AppVirtualization/PublishingAllowServer2 -
-
- AppVirtualization/PublishingAllowServer3 -
-
- AppVirtualization/PublishingAllowServer4 -
-
- AppVirtualization/PublishingAllowServer5 -
-
- AppVirtualization/StreamingAllowCertificateFilterForClient_SSL -
-
- AppVirtualization/StreamingAllowHighCostLaunch -
-
- AppVirtualization/StreamingAllowLocationProvider -
-
- AppVirtualization/StreamingAllowPackageInstallationRoot -
-
- AppVirtualization/StreamingAllowPackageSourceRoot -
-
- AppVirtualization/StreamingAllowReestablishmentInterval -
-
- AppVirtualization/StreamingAllowReestablishmentRetries -
-
- AppVirtualization/StreamingSharedContentStoreMode -
-
- AppVirtualization/StreamingSupportBranchCache -
-
- AppVirtualization/StreamingVerifyCertificateRevocationList -
-
- AppVirtualization/VirtualComponentsAllowList -
-
- -### AttachmentManager policies - -
-
- AttachmentManager/DoNotPreserveZoneInformation -
-
- AttachmentManager/HideZoneInfoMechanism -
-
- AttachmentManager/NotifyAntivirusPrograms -
-
- -### Audit policies - -
-
- Audit/AccountLogonLogoff_AuditAccountLockout -
-
- Audit/AccountLogonLogoff_AuditGroupMembership -
-
- Audit/AccountLogonLogoff_AuditIPsecExtendedMode -
-
- Audit/AccountLogonLogoff_AuditIPsecMainMode -
-
- Audit/AccountLogonLogoff_AuditIPsecQuickMode -
-
- Audit/AccountLogonLogoff_AuditLogoff -
-
- Audit/AccountLogonLogoff_AuditLogon -
-
- Audit/AccountLogonLogoff_AuditNetworkPolicyServer -
-
- Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents -
-
- Audit/AccountLogonLogoff_AuditSpecialLogon -
-
- Audit/AccountLogonLogoff_AuditUserDeviceClaims -
-
- Audit/AccountLogon_AuditCredentialValidation -
-
- Audit/AccountLogon_AuditKerberosAuthenticationService -
-
- Audit/AccountLogon_AuditKerberosServiceTicketOperations -
-
- Audit/AccountLogon_AuditOtherAccountLogonEvents -
-
- Audit/AccountManagement_AuditApplicationGroupManagement -
-
- Audit/AccountManagement_AuditComputerAccountManagement -
-
- Audit/AccountManagement_AuditDistributionGroupManagement -
-
- Audit/AccountManagement_AuditOtherAccountManagementEvents -
-
- Audit/AccountManagement_AuditSecurityGroupManagement -
-
- Audit/AccountManagement_AuditUserAccountManagement -
-
- Audit/DSAccess_AuditDetailedDirectoryServiceReplication -
-
- Audit/DSAccess_AuditDirectoryServiceAccess -
-
- Audit/DSAccess_AuditDirectoryServiceChanges -
-
- Audit/DSAccess_AuditDirectoryServiceReplication -
-
- Audit/DetailedTracking_AuditDPAPIActivity -
-
- Audit/DetailedTracking_AuditPNPActivity -
-
- Audit/DetailedTracking_AuditProcessCreation -
-
- Audit/DetailedTracking_AuditProcessTermination -
-
- Audit/DetailedTracking_AuditRPCEvents -
-
- Audit/DetailedTracking_AuditTokenRightAdjusted -
-
- Audit/ObjectAccess_AuditApplicationGenerated -
-
- Audit/ObjectAccess_AuditCentralAccessPolicyStaging -
-
- Audit/ObjectAccess_AuditCertificationServices -
-
- Audit/ObjectAccess_AuditDetailedFileShare -
-
- Audit/ObjectAccess_AuditFileShare -
-
- Audit/ObjectAccess_AuditFileSystem -
-
- Audit/ObjectAccess_AuditFilteringPlatformConnection -
-
- Audit/ObjectAccess_AuditFilteringPlatformPacketDrop -
-
- Audit/ObjectAccess_AuditHandleManipulation -
-
- Audit/ObjectAccess_AuditKernelObject -
-
- Audit/ObjectAccess_AuditOtherObjectAccessEvents -
-
- Audit/ObjectAccess_AuditRegistry -
-
- Audit/ObjectAccess_AuditRemovableStorage -
-
- Audit/ObjectAccess_AuditSAM -
-
- Audit/PolicyChange_AuditAuthenticationPolicyChange -
-
- Audit/PolicyChange_AuditAuthorizationPolicyChange -
-
- Audit/PolicyChange_AuditFilteringPlatformPolicyChange -
-
- Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange -
-
- Audit/PolicyChange_AuditOtherPolicyChangeEvents -
-
- Audit/PolicyChange_AuditPolicyChange -
-
- Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse -
-
- Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents -
-
- Audit/PrivilegeUse_AuditSensitivePrivilegeUse -
-
- Audit/System_AuditIPsecDriver -
-
- Audit/System_AuditOtherSystemEvents -
-
- Audit/System_AuditSecurityStateChange -
-
- Audit/System_AuditSecuritySystemExtension -
-
- Audit/System_AuditSystemIntegrity -
-
- -### Authentication policies - -
-
- Authentication/AllowAadPasswordReset -
-
- Authentication/AllowEAPCertSSO -
-
- Authentication/AllowFastReconnect -
-
- Authentication/AllowFidoDeviceSignon -
-
- Authentication/AllowSecondaryAuthenticationDevice -
-
- Authentication/EnableFastFirstSignIn (Preview mode only) -
-
- Authentication/EnableWebSignIn (Preview mode only) -
-
- Authentication/PreferredAadTenantDomainName -
-
- -### Autoplay policies - -
-
- Autoplay/DisallowAutoplayForNonVolumeDevices -
-
- Autoplay/SetDefaultAutoRunBehavior -
-
- Autoplay/TurnOffAutoPlay -
-
- -### BitLocker policies - -
-
- BitLocker/EncryptionMethod -
-
- -### BITS policies - -
-
- BITS/BandwidthThrottlingEndTime -
-
- BITS/BandwidthThrottlingStartTime -
-
- BITS/BandwidthThrottlingTransferRate -
-
- BITS/CostedNetworkBehaviorBackgroundPriority -
-
- BITS/CostedNetworkBehaviorForegroundPriority -
-
- BITS/JobInactivityTimeout -
-
- -### Bluetooth policies - -
-
- Bluetooth/AllowAdvertising -
-
- Bluetooth/AllowDiscoverableMode -
-
- Bluetooth/AllowPrepairing -
-
- Bluetooth/AllowPromptedProximalConnections -
-
- Bluetooth/LocalDeviceName -
-
- Bluetooth/ServicesAllowedList -
-
- Bluetooth/SetMinimumEncryptionKeySize -
-
- -### Browser policies - -
-
- Browser/AllowAddressBarDropdown -
-
- Browser/AllowAutofill -
-
- Browser/AllowConfigurationUpdateForBooksLibrary -
-
- Browser/AllowCookies -
-
- Browser/AllowDeveloperTools -
-
- Browser/AllowDoNotTrack -
-
- Browser/AllowExtensions -
-
- Browser/AllowFlash -
-
- Browser/AllowFlashClickToRun -
-
- Browser/AllowFullScreenMode -
-
- Browser/AllowInPrivate -
-
- Browser/AllowMicrosoftCompatibilityList -
-
- Browser/AllowPasswordManager -
-
- Browser/AllowPopups -
-
- Browser/AllowPrelaunch -
-
- Browser/AllowPrinting -
-
- Browser/AllowSavingHistory -
-
- Browser/AllowSearchEngineCustomization -
-
- Browser/AllowSearchSuggestionsinAddressBar -
-
- Browser/AllowSideloadingOfExtensions -
-
- Browser/AllowSmartScreen -
-
- Browser/AllowTabPreloading -
-
- Browser/AllowWebContentOnNewTabPage -
-
- Browser/AlwaysEnableBooksLibrary -
-
- Browser/ClearBrowsingDataOnExit -
-
- Browser/ConfigureAdditionalSearchEngines -
-
- Browser/ConfigureFavoritesBar -
-
- Browser/ConfigureHomeButton -
-
- Browser/ConfigureKioskMode -
-
- Browser/ConfigureKioskResetAfterIdleTimeout -
-
- Browser/ConfigureOpenMicrosoftEdgeWith -
-
- Browser/ConfigureTelemetryForMicrosoft365Analytics -
-
- Browser/DisableLockdownOfStartPages -
-
- Browser/EnableExtendedBooksTelemetry -
-
- Browser/EnterpriseModeSiteList -
-
- Browser/EnterpriseSiteListServiceUrl -
-
- Browser/HomePages -
-
- Browser/LockdownFavorites -
-
- Browser/PreventAccessToAboutFlagsInMicrosoftEdge -
-
- Browser/PreventCertErrorOverrides -
-
- Browser/PreventFirstRunPage -
-
- Browser/PreventLiveTileDataCollection -
-
- Browser/PreventSmartScreenPromptOverride -
-
- Browser/PreventSmartScreenPromptOverrideForFiles -
-
- Browser/PreventUsingLocalHostIPAddressForWebRTC -
-
- Browser/ProvisionFavorites -
-
- Browser/SendIntranetTraffictoInternetExplorer -
-
- Browser/SetDefaultSearchEngine -
-
- Browser/SetHomeButtonURL -
-
- Browser/SetNewTabPageURL -
-
- Browser/ShowMessageWhenOpeningSitesInInternetExplorer -
-
- Browser/SyncFavoritesBetweenIEAndMicrosoftEdge -
-
- Browser/UnlockHomeButton -
-
- Browser/UseSharedFolderForBooks -
-
- -### Camera policies - -
-
- Camera/AllowCamera -
-
- -### Cellular policies - -
-
- Cellular/LetAppsAccessCellularData -
-
- Cellular/LetAppsAccessCellularData_ForceAllowTheseApps -
-
- Cellular/LetAppsAccessCellularData_ForceDenyTheseApps -
-
- Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps -
-
- Cellular/ShowAppCellularAccessUI -
-
- -### Connectivity policies - -
-
- Connectivity/AllowBluetooth -
-
- Connectivity/AllowCellularData -
-
- Connectivity/AllowCellularDataRoaming -
-
- Connectivity/AllowConnectedDevices -
-
- Connectivity/AllowPhonePCLinking -
-
- Connectivity/AllowUSBConnection -
-
- Connectivity/AllowVPNOverCellular -
-
- Connectivity/AllowVPNRoamingOverCellular -
-
- Connectivity/DiablePrintingOverHTTP -
-
- Connectivity/DisableDownloadingOfPrintDriversOverHTTP -
-
- Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards -
-
- Connectivity/DisallowNetworkConnectivityActiveTests -
-
- Connectivity/HardenedUNCPaths -
-
- Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge -
-
- -### ControlPolicyConflict policies - -
-
- ControlPolicyConflict/MDMWinsOverGP -
-
- -### CredentialProviders policies - -
-
- CredentialProviders/AllowPINLogon -
-
- CredentialProviders/BlockPicturePassword -
-
- CredentialProviders/DisableAutomaticReDeploymentCredentials -
-
- -### CredentialsDelegation policies - -
-
- CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials -
-
- -### CredentialsUI policies - -
-
- CredentialsUI/DisablePasswordReveal -
-
- CredentialsUI/EnumerateAdministrators -
-
- -### Cryptography policies - -
-
- Cryptography/AllowFipsAlgorithmPolicy -
-
- Cryptography/TLSCipherSuites -
-
- -### DataProtection policies - -
-
- DataProtection/AllowDirectMemoryAccess -
-
- DataProtection/LegacySelectiveWipeID -
-
- -### DataUsage policies - -
-
- DataUsage/SetCost3G -
-
- DataUsage/SetCost4G -
-
- -### Defender policies - -
-
- Defender/AllowArchiveScanning -
-
- Defender/AllowBehaviorMonitoring -
-
- Defender/AllowCloudProtection -
-
- Defender/AllowEmailScanning -
-
- Defender/AllowFullScanOnMappedNetworkDrives -
-
- Defender/AllowFullScanRemovableDriveScanning -
-
- Defender/AllowIOAVProtection -
-
- Defender/AllowOnAccessProtection -
-
- Defender/AllowRealtimeMonitoring -
-
- Defender/AllowScanningNetworkFiles -
-
- Defender/AllowScriptScanning -
-
- Defender/AllowUserUIAccess -
-
- Defender/AttackSurfaceReductionOnlyExclusions -
-
- Defender/AttackSurfaceReductionRules -
-
- Defender/AvgCPULoadFactor -
-
- Defender/CheckForSignaturesBeforeRunningScan -
-
- Defender/CloudBlockLevel -
-
- Defender/CloudExtendedTimeout -
-
- Defender/ControlledFolderAccessAllowedApplications -
-
- Defender/ControlledFolderAccessProtectedFolders -
-
- Defender/DaysToRetainCleanedMalware -
-
- Defender/DisableCatchupFullScan -
-
- Defender/DisableCatchupQuickScan -
-
- Defender/EnableControlledFolderAccess -
-
- Defender/EnableLowCPUPriority -
-
- Defender/EnableNetworkProtection -
-
- Defender/ExcludedExtensions -
-
- Defender/ExcludedPaths -
-
- Defender/ExcludedProcesses -
-
- Defender/PUAProtection -
-
- Defender/RealTimeScanDirection -
-
- Defender/ScanParameter -
-
- Defender/ScheduleQuickScanTime -
-
- Defender/ScheduleScanDay -
-
- Defender/ScheduleScanTime -
-
- Defender/SignatureUpdateFallbackOrder -
-
- Defender/SignatureUpdateFileSharesSources -
-
- Defender/SignatureUpdateInterval -
-
- Defender/SubmitSamplesConsent -
-
- Defender/ThreatSeverityDefaultAction -
-
- -### DeliveryOptimization policies - -
-
- DeliveryOptimization/DOAbsoluteMaxCacheSize -
-
- DeliveryOptimization/DOAllowVPNPeerCaching -
-
- DeliveryOptimization/DOCacheHost -
-
- DeliveryOptimization/DOCacheHostSource -
-
- DeliveryOptimization/DODelayBackgroundDownloadFromHttp -
-
- DeliveryOptimization/DODelayForegroundDownloadFromHttp -
-
- DeliveryOptimization/DODelayCacheServerFallbackBackground -
-
- DeliveryOptimization/DODelayCacheServerFallbackForeground -
-
- DeliveryOptimization/DODownloadMode -
-
- DeliveryOptimization/DOGroupId -
-
- DeliveryOptimization/DOGroupIdSource -
-
- DeliveryOptimization/DOMaxBackgroundDownloadBandwidth -
-
- DeliveryOptimization/DOMaxCacheAge -
-
- DeliveryOptimization/DOMaxCacheSize -
-
- DeliveryOptimization/DOMaxDownloadBandwidth (deprecated) -
-
- DeliveryOptimization/DOMaxForegroundDownloadBandwidth -
-
- DeliveryOptimization/DOMaxUploadBandwidth (deprecated) -
-
- DeliveryOptimization/DOMinBackgroundQos -
-
- DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload -
-
- DeliveryOptimization/DOMinDiskSizeAllowedToPeer -
-
- DeliveryOptimization/DOMinFileSizeToCache -
-
- DeliveryOptimization/DOMinRAMAllowedToPeer -
-
- DeliveryOptimization/DOModifyCacheDrive -
-
- DeliveryOptimization/DOMonthlyUploadDataCap -
-
- DeliveryOptimization/DOPercentageMaxBackgroundBandwidth -
-
- DeliveryOptimization/DOPercentageMaxDownloadBandwidth (deprecated) -
-
- DeliveryOptimization/DOPercentageMaxForegroundBandwidth -
-
- DeliveryOptimization/DORestrictPeerSelectionBy -
-
- DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth -
-
- DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth -
-
- -### Desktop policies - -
-
- Desktop/PreventUserRedirectionOfProfileFolders -
-
- -### DesktopAppInstaller policies -
-
- DesktopAppInstaller/EnableAdditionalSources -
-
- DesktopAppInstaller/EnableAppInstaller -
-
- DesktopAppInstaller/EnableDefaultSource -
-
- DesktopAppInstaller/EnableLocalManifestFiles -
-
- DesktopAppInstaller/EnableHashOverride -
-
- DesktopAppInstaller/EnableMicrosoftStoreSource -
-
- DesktopAppInstaller/EnableMSAppInstallerProtocol -
-
- DesktopAppInstaller/EnableSettings -
-
- DesktopAppInstaller/EnableAllowedSources -
-
- DesktopAppInstaller/EnableExperimentalFeatures -
-
- DesktopAppInstaller/SourceAutoUpdateInterval -
-
- -### DeviceGuard policies - -
-
- DeviceGuard/ConfigureSystemGuardLaunch -
-
- DeviceGuard/EnableVirtualizationBasedSecurity -
-
- DeviceGuard/LsaCfgFlags -
-
- DeviceGuard/RequirePlatformSecurityFeatures -
-
- -### DeviceHealthMonitoring policies - -
-
- DeviceHealthMonitoring/AllowDeviceHealthMonitoring -
-
- DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope -
-
- DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination -
-
- -### DeviceInstallation policies - -
-
- DeviceInstallation/AllowInstallationOfMatchingDeviceIDs -
-
- DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses -
-
- DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs -
-
- DeviceInstallation/PreventDeviceMetadataFromNetwork -
-
- DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings -
-
- DeviceInstallation/PreventInstallationOfMatchingDeviceIDs -
-
- DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs -
-
- DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses -
-
- -### DeviceLock policies - -
-
- DeviceLock/AllowIdleReturnWithoutPassword -
-
- DeviceLock/AllowSimpleDevicePassword -
-
- DeviceLock/AlphanumericDevicePasswordRequired -
-
- DeviceLock/DevicePasswordEnabled -
-
- DeviceLock/DevicePasswordExpiration -
-
- DeviceLock/DevicePasswordHistory -
-
- DeviceLock/EnforceLockScreenAndLogonImage -
-
- DeviceLock/MaxDevicePasswordFailedAttempts -
-
- DeviceLock/MaxInactivityTimeDeviceLock -
-
- DeviceLock/MinDevicePasswordComplexCharacters -
-
- DeviceLock/MinDevicePasswordLength -
-
- DeviceLock/MinimumPasswordAge -
-
- DeviceLock/PreventEnablingLockScreenCamera -
-
- DeviceLock/PreventLockScreenSlideShow -
-
- -### Display policies - -
-
- Display/DisablePerProcessDpiForApps -
-
- Display/EnablePerProcessDpi -
-
- Display/EnablePerProcessDpiForApps -
-
- Display/TurnOffGdiDPIScalingForApps -
-
- Display/TurnOnGdiDPIScalingForApps -
-
- -### DmaGuard policies - -
-
- DmaGuard/DeviceEnumerationPolicy -
-
- -### EAP policies - -
-
- EAP/AllowTLS1_3 -
-
- -### Education policies - -
-
- Education/AllowGraphingCalculator -
-
- Education/DefaultPrinterName -
-
- Education/PreventAddingNewPrinters -
-
- Education/PrinterNames -
-
- -### EnterpriseCloudPrint policies - -
-
- EnterpriseCloudPrint/CloudPrintOAuthAuthority -
-
- EnterpriseCloudPrint/CloudPrintOAuthClientId -
-
- EnterpriseCloudPrint/CloudPrintResourceId -
-
- EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint -
-
- EnterpriseCloudPrint/DiscoveryMaxPrinterLimit -
-
- EnterpriseCloudPrint/MopriaDiscoveryResourceId -
-
- -### ErrorReporting policies - -
-
- ErrorReporting/CustomizeConsentSettings -
-
- ErrorReporting/DisableWindowsErrorReporting -
-
- ErrorReporting/DisplayErrorNotification -
-
- ErrorReporting/DoNotSendAdditionalData -
-
- ErrorReporting/PreventCriticalErrorDisplay -
-
- -### EventLogService policies - -
-
- EventLogService/ControlEventLogBehavior -
-
- EventLogService/SpecifyMaximumFileSizeApplicationLog -
-
- EventLogService/SpecifyMaximumFileSizeSecurityLog -
-
- EventLogService/SpecifyMaximumFileSizeSystemLog -
-
- -### Experience policies - -
-
- Experience/AllowClipboardHistory -
-
- Experience/AllowCortana -
-
- Experience/AllowDeviceDiscovery -
-
- Experience/AllowFindMyDevice -
-
- Experience/AllowManualMDMUnenrollment -
-
- Experience/AllowSaveAsOfOfficeFiles -
-
- Experience/AllowSharingOfOfficeFiles -
-
- Experience/AllowSyncMySettings -
-
- Experience/AllowSpotlightCollection -
-
- Experience/AllowTailoredExperiencesWithDiagnosticData -
-
- Experience/AllowThirdPartySuggestionsInWindowsSpotlight -
-
- Experience/AllowWindowsConsumerFeatures -
-
- Experience/AllowWindowsSpotlight -
-
- Experience/AllowWindowsSpotlightOnActionCenter -
-
- Experience/AllowWindowsSpotlightOnSettings -
-
- Experience/AllowWindowsSpotlightWindowsWelcomeExperience -
-
- Experience/AllowWindowsTips -
-
- Experience/ConfigureWindowsSpotlightOnLockScreen -
-
- Experience/DisableCloudOptimizedContent -
-
- Experience/DoNotShowFeedbackNotifications -
-
- Experience/DoNotSyncBrowserSettings -
-
- Experience/PreventUsersFromTurningOnBrowserSyncing -
-
- Experience/ShowLockOnUserTile -
-
- -### ExploitGuard policies - -
-
- ExploitGuard/ExploitProtectionSettings -
-
- -### FederatedAuthentication policies - -
-
- FederatedAuthentication/EnableWebSignInForPrimaryUser -
-
- -### Feeds policies -
-
- Feeds/FeedsEnabled -
-
- -### FileExplorer policies - -
-
- FileExplorer/TurnOffDataExecutionPreventionForExplorer -
-
- FileExplorer/TurnOffHeapTerminationOnCorruption -
-
- -### Games policies - -
-
- Games/AllowAdvancedGamingServices -
-
- -### Handwriting policies - -
-
- Handwriting/PanelDefaultModeDocked -
-
- -### HumanPresence policies - -
-
- HumanPresence/ForceInstantLock -
-
- HumanPresence/ForceInstantWake -
-
- HumanPresence/ForceLockTimeout -
-
- -### InternetExplorer policies - -
-
- InternetExplorer/AddSearchProvider -
-
- InternetExplorer/AllowActiveXFiltering -
-
- InternetExplorer/AllowAddOnList -
-
- InternetExplorer/AllowAutoComplete -
-
- InternetExplorer/AllowCertificateAddressMismatchWarning -
-
- InternetExplorer/AllowDeletingBrowsingHistoryOnExit -
-
- InternetExplorer/AllowEnhancedProtectedMode -
-
- InternetExplorer/AllowEnhancedSuggestionsInAddressBar -
-
- InternetExplorer/AllowEnterpriseModeFromToolsMenu -
-
- InternetExplorer/AllowEnterpriseModeSiteList -
-
- InternetExplorer/AllowFallbackToSSL3 -
-
- InternetExplorer/AllowInternetExplorer7PolicyList -
-
- InternetExplorer/AllowInternetExplorerStandardsMode -
-
- InternetExplorer/AllowInternetZoneTemplate -
-
- InternetExplorer/AllowIntranetZoneTemplate -
-
- InternetExplorer/AllowLocalMachineZoneTemplate -
-
- InternetExplorer/AllowLockedDownInternetZoneTemplate -
-
- InternetExplorer/AllowLockedDownIntranetZoneTemplate -
-
- InternetExplorer/AllowLockedDownLocalMachineZoneTemplate -
-
- InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate -
-
- InternetExplorer/AllowOneWordEntry -
-
- InternetExplorer/AllowSiteToZoneAssignmentList -
-
- InternetExplorer/AllowSoftwareWhenSignatureIsInvalid -
-
- InternetExplorer/AllowSuggestedSites -
-
- InternetExplorer/AllowTrustedSitesZoneTemplate -
-
- InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate -
-
- InternetExplorer/AllowsRestrictedSitesZoneTemplate -
-
- InternetExplorer/CheckServerCertificateRevocation -
-
- InternetExplorer/CheckSignaturesOnDownloadedPrograms -
-
- InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses -
-
- InternetExplorer/DisableActiveXVersionListAutoDownload -

- InternetExplorer/DisableAdobeFlash -
-
- InternetExplorer/DisableBypassOfSmartScreenWarnings -
-
- InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles -
-
- InternetExplorer/DisableCompatView -
-
- InternetExplorer/DisableConfiguringHistory -
-
- InternetExplorer/DisableCrashDetection -
-
- InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation -
-
- InternetExplorer/DisableDeletingUserVisitedWebsites -
-
- InternetExplorer/DisableEnclosureDownloading -
-
- InternetExplorer/DisableEncryptionSupport -
-
- InternetExplorer/DisableFeedsBackgroundSync -
-
- InternetExplorer/DisableFirstRunWizard -
-
- InternetExplorer/DisableFlipAheadFeature -
-
- InternetExplorer/DisableGeolocation -
-
- InternetExplorer/DisableHomePageChange -
-
- InternetExplorer/DisableIgnoringCertificateErrors -
-
- InternetExplorer/DisableInPrivateBrowsing -
-
- InternetExplorer/DisableProcessesInEnhancedProtectedMode -
-
- InternetExplorer/DisableProxyChange -
-
- InternetExplorer/DisableSearchProviderChange -
-
- InternetExplorer/DisableSecondaryHomePageChange -
-
- InternetExplorer/DisableSecuritySettingsCheck -
-
- InternetExplorer/DisableUpdateCheck -
-
- InternetExplorer/DisableWebAddressAutoComplete -
-
- InternetExplorer/DoNotAllowActiveXControlsInProtectedMode -
-
- InternetExplorer/DoNotAllowUsersToAddSites -
-
- InternetExplorer/DoNotAllowUsersToChangePolicies -
-
- InternetExplorer/DoNotBlockOutdatedActiveXControls -
-
- InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains -
-
- InternetExplorer/IncludeAllLocalSites -
-
- InternetExplorer/IncludeAllNetworkPaths -
-
- InternetExplorer/InternetZoneAllowAccessToDataSources -
-
- InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/InternetZoneAllowCopyPasteViaScript -
-
- InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles -
-
- InternetExplorer/InternetZoneAllowFontDownloads -
-
- InternetExplorer/InternetZoneAllowLessPrivilegedSites -
-
- InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles -
-
- InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls -
-
- InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
-
- InternetExplorer/InternetZoneAllowScriptInitiatedWindows -
-
- InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls -
-
- InternetExplorer/InternetZoneAllowScriptlets -
-
- InternetExplorer/InternetZoneAllowSmartScreenIE -
-
- InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript -
-
- InternetExplorer/InternetZoneAllowUserDataPersistence -
-
- InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer -
-
- InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls -
-
- InternetExplorer/InternetZoneDownloadSignedActiveXControls -
-
- InternetExplorer/InternetZoneDownloadUnsignedActiveXControls -
-
- InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter -
-
- InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
-
- InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
-
- InternetExplorer/InternetZoneEnableMIMESniffing -
-
- InternetExplorer/InternetZoneEnableProtectedMode -
-
- InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer -
-
- InternetExplorer/InternetZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe -
-
- InternetExplorer/InternetZoneJavaPermissions -
-
- InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME -
-
- InternetExplorer/InternetZoneLogonOptions -
-
- InternetExplorer/InternetZoneNavigateWindowsAndFrames -
-
- InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
-
- InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles -
-
- InternetExplorer/InternetZoneUsePopupBlocker -
-
- InternetExplorer/IntranetZoneAllowAccessToDataSources -
-
- InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/IntranetZoneAllowFontDownloads -
-
- InternetExplorer/IntranetZoneAllowLessPrivilegedSites -
-
- InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/IntranetZoneAllowScriptlets -
-
- InternetExplorer/IntranetZoneAllowSmartScreenIE -
-
- InternetExplorer/IntranetZoneAllowUserDataPersistence -
-
- InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls -
-
- InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/IntranetZoneJavaPermissions -
-
- InternetExplorer/IntranetZoneNavigateWindowsAndFrames -
-
- InternetExplorer/LocalMachineZoneAllowAccessToDataSources -
-
- InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/LocalMachineZoneAllowFontDownloads -
-
- InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites -
-
- InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/LocalMachineZoneAllowScriptlets -
-
- InternetExplorer/LocalMachineZoneAllowSmartScreenIE -
-
- InternetExplorer/LocalMachineZoneAllowUserDataPersistence -
-
- InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls -
-
- InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/LocalMachineZoneJavaPermissions -
-
- InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames -
-
- InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources -
-
- InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/LockedDownInternetZoneAllowFontDownloads -
-
- InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites -
-
- InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/LockedDownInternetZoneAllowScriptlets -
-
- InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE -
-
- InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence -
-
- InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/LockedDownInternetZoneJavaPermissions -
-
- InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames -
-
- InternetExplorer/LockedDownIntranetJavaPermissions -
-
- InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources -
-
- InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/LockedDownIntranetZoneAllowFontDownloads -
-
- InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites -
-
- InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/LockedDownIntranetZoneAllowScriptlets -
-
- InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE -
-
- InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence -
-
- InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames -
-
- InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources -
-
- InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads -
-
- InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites -
-
- InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets -
-
- InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE -
-
- InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence -
-
- InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/LockedDownLocalMachineZoneJavaPermissions -
-
- InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames -
-
- InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources -
-
- InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads -
-
- InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites -
-
- InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets -
-
- InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE -
-
- InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence -
-
- InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions -
-
- InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames -
-
- InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources -
-
- InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads -
-
- InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites -
-
- InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets -
-
- InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE -
-
- InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence -
-
- InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions -
-
- InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames -
-
- InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses -
-
- InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses -
-
- InternetExplorer/NewTabDefaultPage -
-
- InternetExplorer/NotificationBarInternetExplorerProcesses -
-
- InternetExplorer/PreventManagingSmartScreenFilter -
-
- InternetExplorer/PreventPerUserInstallationOfActiveXControls -
-
- InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses -
-
- InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls -
-
- InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses -
-
- InternetExplorer/RestrictFileDownloadInternetExplorerProcesses -
-
- InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources -
-
- InternetExplorer/RestrictedSitesZoneAllowActiveScripting -
-
- InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors -
-
- InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript -
-
- InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles -
-
- InternetExplorer/RestrictedSitesZoneAllowFileDownloads -
-
- InternetExplorer/RestrictedSitesZoneAllowFontDownloads -
-
- InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites -
-
- InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles -
-
- InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH -
-
- InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls -
-
- InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
-
- InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows -
-
- InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls -
-
- InternetExplorer/RestrictedSitesZoneAllowScriptlets -
-
- InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE -
-
- InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript -
-
- InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence -
-
- InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer -
-
- InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
-
- InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls -
-
- InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls -
-
- InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter -
-
- InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
-
- InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
-
- InternetExplorer/RestrictedSitesZoneEnableMIMESniffing -
-
- InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer -
-
- InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/RestrictedSitesZoneJavaPermissions -
-
- InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME -
-
- InternetExplorer/RestrictedSitesZoneLogonOptions -
-
- InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames -
-
- InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins -
-
- InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
-
- InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting -
-
- InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets -
-
- InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles -
-
- InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode -
-
- InternetExplorer/RestrictedSitesZoneUsePopupBlocker -
-
- InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses -
-
- InternetExplorer/SearchProviderList -
-
- InternetExplorer/SecurityZonesUseOnlyMachineSettings -
-
- InternetExplorer/SpecifyUseOfActiveXInstallerService -
-
- InternetExplorer/TrustedSitesZoneAllowAccessToDataSources -
-
- InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
-
- InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
-
- InternetExplorer/TrustedSitesZoneAllowFontDownloads -
-
- InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites -
-
- InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents -
-
- InternetExplorer/TrustedSitesZoneAllowScriptlets -
-
- InternetExplorer/TrustedSitesZoneAllowSmartScreenIE -
-
- InternetExplorer/TrustedSitesZoneAllowUserDataPersistence -
-
- InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
-
- InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls -
-
- InternetExplorer/TrustedSitesZoneJavaPermissions -
-
- InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames -
-
- -### Kerberos policies - -
-
- Kerberos/AllowForestSearchOrder -
-
- Kerberos/KerberosClientSupportsClaimsCompoundArmor -
-
- Kerberos/RequireKerberosArmoring -
-
- Kerberos/RequireStrictKDCValidation -
-
- Kerberos/SetMaximumContextTokenSize -
-
- Kerberos/UPNNameHints -
-
- -### KioskBrowser policies - -
-
- KioskBrowser/BlockedUrlExceptions -
-
- KioskBrowser/BlockedUrls -
-
- KioskBrowser/DefaultURL -
-
- KioskBrowser/EnableEndSessionButton -
-
- KioskBrowser/EnableHomeButton -
-
- KioskBrowser/EnableNavigationButtons -
-
- KioskBrowser/RestartOnIdleTime -
-
- -### LanmanWorkstation policies - -
-
- LanmanWorkstation/EnableInsecureGuestLogons -
-
- -### Language Pack Management CSP policies - -
-
- LanmanWorkstation/EnableInsecureGuestLogons -
-
- -### Licensing policies - -
-
- Licensing/AllowWindowsEntitlementReactivation -
-
- Licensing/DisallowKMSClientOnlineAVSValidation -
-
- -### LocalPoliciesSecurityOptions policies - -
-
- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts -
-
- LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly -
-
- LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount -
-
- LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount -
-
- LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon -
-
- LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia -
-
- LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters -
-
- LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly -
-
- LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked -
-
- LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn -
-
- LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn -
-
- LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL -
-
- LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit -
-
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn -
-
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn -
-
- LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior -
-
- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees -
-
- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers -
-
- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways -
-
- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees -
-
- LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts -
-
- LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares -
-
- LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares -
-
- LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic -
-
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers -
-
- LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn -
-
- LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile -
-
- LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation -
-
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators -
-
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers -
-
- LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation -
-
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated -
-
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations -
-
- LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode -
-
- LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation -
-
- LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode -
-
- LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations -
-
- -### LocalUsersAndGroups policies - -
-
- LocalUsersAndGroups/Configure -
-
- -### LockDown policies - -
-
- LockDown/AllowEdgeSwipe -
-
- -### Maps policies - -
-
- Maps/AllowOfflineMapsDownloadOverMeteredConnection -
-
- Maps/EnableOfflineMapsAutoUpdate -
-
- -### MemoryDump policies - -
-
- MemoryDump/AllowCrashDump -
-
- MemoryDump/AllowLiveDump -
-
- -### Messaging policies - -
-
- Messaging/AllowMessageSync -
-
- -### MixedReality policies - -
-
- MixedReality/AADGroupMembershipCacheValidityInDays -
-
- MixedReality/BrightnessButtonDisabled -
-
- MixedReality/FallbackDiagnostics -
-
- MixedReality/MicrophoneDisabled -
-
- MixedReality/VolumeButtonDisabled -
-
- -### MSSecurityGuide policies - -
-
- MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon -
-
- MSSecurityGuide/ConfigureSMBV1ClientDriver -
-
- MSSecurityGuide/ConfigureSMBV1Server -
-
- MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection -
-
- MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications -
-
- MSSecurityGuide/WDigestAuthentication -
-
- -### MSSLegacy policies - -
-
- MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes -
-
- MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers -
-
- MSSLegacy/IPSourceRoutingProtectionLevel -
-
- MSSLegacy/IPv6SourceRoutingProtectionLevel -
-
- -### Multitasking policies - -
-
- Multitasking/BrowserAltTabBlowout -
-
- -### NetworkIsolation policies - -
-
- NetworkIsolation/EnterpriseCloudResources -
-
- NetworkIsolation/EnterpriseIPRange -
-
- NetworkIsolation/EnterpriseIPRangesAreAuthoritative -
-
- NetworkIsolation/EnterpriseInternalProxyServers -
-
- NetworkIsolation/EnterpriseNetworkDomainNames -
-
- NetworkIsolation/EnterpriseProxyServers -
-
- NetworkIsolation/EnterpriseProxyServersAreAuthoritative -
-
- NetworkIsolation/NeutralResources -
-
- -### NetworkListManager policies - -
-
- NetworkListManager/AllowedTlsAuthenticationEndpoints -
-
- NetworkListManager/ConfiguredTLSAuthenticationNetworkName -
-
-
- -### NewsAndInterests policies - -
-
- NewsAndInterests/AllowNewsAndInterests -
-
- -### Notifications policies - -
-
- Notifications/DisallowCloudNotification -
-
- Notifications/DisallowNotificationMirroring -
-
- Notifications/DisallowTileNotification -
-
- -### Power policies - -
-
- Power/AllowStandbyStatesWhenSleepingOnBattery -
-
- Power/AllowStandbyWhenSleepingPluggedIn -
-
- Power/DisplayOffTimeoutOnBattery -
-
- Power/DisplayOffTimeoutPluggedIn -
-
- Power/EnergySaverBatteryThresholdOnBattery -
-
- Power/EnergySaverBatteryThresholdPluggedIn -
-
- Power/HibernateTimeoutOnBattery -
-
- Power/HibernateTimeoutPluggedIn -
-
- Power/RequirePasswordWhenComputerWakesOnBattery -
-
- Power/RequirePasswordWhenComputerWakesPluggedIn -
-
- Power/SelectLidCloseActionOnBattery -
-
- Power/SelectLidCloseActionPluggedIn -
-
- Power/SelectPowerButtonActionOnBattery -
-
- Power/SelectPowerButtonActionPluggedIn -
-
- Power/SelectSleepButtonActionOnBattery -
-
- Power/SelectSleepButtonActionPluggedIn -
-
- Power/StandbyTimeoutOnBattery -
-
- Power/StandbyTimeoutPluggedIn -
-
- Power/TurnOffHybridSleepOnBattery -
-
- Power/TurnOffHybridSleepPluggedIn -
-
- Power/UnattendedSleepTimeoutOnBattery -
-
- Power/UnattendedSleepTimeoutPluggedIn -
-
- -### Printers policies - -
-
- Printers/ApprovedUsbPrintDevices -
-
- Printers/ApprovedUsbPrintDevicesUser -
-
- Printers/ConfigureCopyFilesPolicy -
-
- Printers/ConfigureDriverValidationLevel -
-
- Printers/ConfigureIppPageCountsPolicy -
-
- Printers/ConfigureRedirectionGuardPolicy -
-
- Printers/ConfigureRpcConnectionPolicy -
-
- Printers/ConfigureRpcListenerPolicy -
-
- Printers/ConfigureRpcTcpPort -
-
- Printers/EnableDeviceControl -
-
- Printers/EnableDeviceControlUser -
-
- Printers/ManageDriverExclusionList -
-
- Printers/PointAndPrintRestrictions -
-
- Printers/PointAndPrintRestrictions_User -
-
- Printers/PublishPrinters -
-
- Printers/RestrictDriverInstallationToAdministrators -
-
- -### Privacy policies - -
-
- Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts -
-
- Privacy/AllowCrossDeviceClipboard -
-
- Privacy/AllowInputPersonalization -
-
- Privacy/DisableAdvertisingId -
-
- Privacy/DisablePrivacyExperience -
-
- Privacy/EnableActivityFeed -
-
- Privacy/LetAppsAccessAccountInfo -
-
- Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessBackgroundSpatialPerception -
-
- Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessCalendar -
-
- Privacy/LetAppsAccessCalendar_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessCalendar_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessCallHistory -
-
- Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessCamera -
-
- Privacy/LetAppsAccessCamera_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessCamera_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessCamera_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessContacts -
-
- Privacy/LetAppsAccessContacts_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessContacts_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessContacts_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessEmail -
-
- Privacy/LetAppsAccessEmail_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessEmail_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessEmail_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessGazeInput -
-
- Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessLocation -
-
- Privacy/LetAppsAccessLocation_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessLocation_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessLocation_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessMessaging -
-
- Privacy/LetAppsAccessMessaging_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessMessaging_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessMicrophone -
-
- Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessMotion -
-
- Privacy/LetAppsAccessMotion_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessMotion_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessMotion_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessNotifications -
-
- Privacy/LetAppsAccessNotifications_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessNotifications_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessPhone -
-
- Privacy/LetAppsAccessPhone_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessPhone_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessPhone_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessRadios -
-
- Privacy/LetAppsAccessRadios_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessRadios_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessRadios_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessTasks -
-
- Privacy/LetAppsAccessTasks_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessTasks_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessTasks_UserInControlOfTheseApps -
-
- Privacy/LetAppsAccessTrustedDevices -
-
- Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps -
-
- Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps -
-
- Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps -
-
- Privacy/LetAppsActivateWithVoice -
-
- Privacy/LetAppsActivateWithVoiceAboveLock -
-
- Privacy/LetAppsGetDiagnosticInfo -
-
- Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps -
-
- Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps -
-
- Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps -
-
- Privacy/LetAppsRunInBackground -
-
- Privacy/LetAppsRunInBackground_ForceAllowTheseApps -
-
- Privacy/LetAppsRunInBackground_ForceDenyTheseApps -
-
- Privacy/LetAppsRunInBackground_UserInControlOfTheseApps -
-
- Privacy/LetAppsSyncWithDevices -
-
- Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps -
-
- Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps -
-
- Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps -
-
- Privacy/PublishUserActivities -
-
- Privacy/UploadUserActivities -
-
- -### RemoteAssistance policies - -
-
- RemoteAssistance/CustomizeWarningMessages -
-
- RemoteAssistance/SessionLogging -
-
- RemoteAssistance/SolicitedRemoteAssistance -
-
- RemoteAssistance/UnsolicitedRemoteAssistance -
-
- -### RemoteDesktop policies - -
-
- RemoteDesktop/AutoSubscription -
-
- RemoteDesktop/LoadAadCredKeyFromProfile -
-
- -### RemoteDesktopServices policies - -
-
- RemoteDesktopServices/AllowUsersToConnectRemotely -
-
- RemoteDesktopServices/ClientConnectionEncryptionLevel -
-
- RemoteDesktopServices/DoNotAllowDriveRedirection -
-
- RemoteDesktopServices/DoNotAllowPasswordSaving -
-
- RemoteDesktopServices/PromptForPasswordUponConnection -
-
- RemoteDesktopServices/RequireSecureRPCCommunication -
-
- -### RemoteManagement policies - -
-
- RemoteManagement/AllowBasicAuthentication_Client -
-
- RemoteManagement/AllowBasicAuthentication_Service -
-
- RemoteManagement/AllowCredSSPAuthenticationClient -
-
- RemoteManagement/AllowCredSSPAuthenticationService -
-
- RemoteManagement/AllowRemoteServerManagement -
-
- RemoteManagement/AllowUnencryptedTraffic_Client -
-
- RemoteManagement/AllowUnencryptedTraffic_Service -
-
- RemoteManagement/DisallowDigestAuthentication -
-
- RemoteManagement/DisallowNegotiateAuthenticationClient -
-
- RemoteManagement/DisallowNegotiateAuthenticationService -
-
- RemoteManagement/DisallowStoringOfRunAsCredentials -
-
- RemoteManagement/SpecifyChannelBindingTokenHardeningLevel -
-
- RemoteManagement/TrustedHosts -
-
- RemoteManagement/TurnOnCompatibilityHTTPListener -
-
- RemoteManagement/TurnOnCompatibilityHTTPSListener -
-
- -### RemoteProcedureCall policies - -
-
- RemoteProcedureCall/RPCEndpointMapperClientAuthentication -
-
- RemoteProcedureCall/RestrictUnauthenticatedRPCClients -
-
- -### RemoteShell policies - -
-
- RemoteShell/AllowRemoteShellAccess -
-
- RemoteShell/MaxConcurrentUsers -
-
- RemoteShell/SpecifyIdleTimeout -
-
- RemoteShell/SpecifyMaxMemory -
-
- RemoteShell/SpecifyMaxProcesses -
-
- RemoteShell/SpecifyMaxRemoteShells -
-
- RemoteShell/SpecifyShellTimeout -
-
- -### RestrictedGroups policies - -
-
- RestrictedGroups/ConfigureGroupMembership -
-
- -### Search policies - -
-
- Search/AllowCloudSearch -
-
- Search/AllowFindMyFiles -
-
- Search/AllowIndexingEncryptedStoresOrItems -
-
- Search/AllowSearchToUseLocation -
-
- Search/AllowStoringImagesFromVisionSearch -
-
- Search/AllowUsingDiacritics -
-
- Search/AllowWindowsIndexer -
-
- Search/AlwaysUseAutoLangDetection -
-
- Search/DisableBackoff -
-
- Search/DisableRemovableDriveIndexing -
-
- Search/DisableSearch -
-
- Search/DoNotUseWebResults -
-
- Search/PreventIndexingLowDiskSpaceMB -
-
- Search/PreventRemoteQueries -
-
- -### Security policies - -
-
- Security/AllowAddProvisioningPackage -
-
- Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices -
-
- Security/AllowRemoveProvisioningPackage -
-
- Security/ClearTPMIfNotReady -
-
- Security/ConfigureWindowsPasswords -
-
- Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices -
-
- Security/RecoveryEnvironmentAuthentication -
-
- Security/RequireDeviceEncryption -
-
- Security/RequireProvisioningPackageSignature -
-
- Security/RequireRetrieveHealthCertificateOnBoot -
-
- -### ServiceControlManager policies -
-
- ServiceControlManager/SvchostProcessMitigation -
-
- -### Settings policies - -
-
- Settings/AllowAutoPlay -
-
- Settings/AllowDataSense -
-
- Settings/AllowDateTime -
-
- Settings/AllowLanguage -
-
- Settings/AllowOnlineTips -
-
- Settings/AllowPowerSleep -
-
- Settings/AllowRegion -
-
- Settings/AllowSignInOptions -
-
- Settings/AllowVPN -
-
- Settings/AllowWorkplace -
-
- Settings/AllowYourAccount -
-
- Settings/ConfigureTaskbarCalendar -
-
- Settings/PageVisibilityList -
-
- -### Windows Defender SmartScreen policies - -
-
- SmartScreen/EnableAppInstallControl -
-
- SmartScreen/EnableSmartScreenInShell -
-
- SmartScreen/PreventOverrideForFilesInShell -
-
- -### Speech policies - -
-
- Speech/AllowSpeechModelUpdate -
-
- -### Start policies - -
-
- Start/AllowPinnedFolderDocuments -
-
- Start/AllowPinnedFolderDownloads -
-
- Start/AllowPinnedFolderFileExplorer -
-
- Start/AllowPinnedFolderHomeGroup -
-
- Start/AllowPinnedFolderMusic -
-
- Start/AllowPinnedFolderNetwork -
-
- Start/AllowPinnedFolderPersonalFolder -
-
- Start/AllowPinnedFolderPictures -
-
- Start/AllowPinnedFolderSettings -
-
- Start/AllowPinnedFolderVideos -
-
- Start/DisableContextMenus -
-
- Start/DisableControlCenter -
-
- Start/DisableEditingQuickSettings -
-
- Start/ForceStartSize -
-
- Start/HideAppList -
-
- Start/HideChangeAccountSettings -
-
- Start/HideFrequentlyUsedApps -
-
- Start/HideHibernate -
-
- Start/HideLock -
-
- Start/HidePeopleBar -
-
- Start/HidePowerButton -
-
- Start/HideRecentJumplists -
-
- Start/HideRecentlyAddedApps -
-
- Start/HideRecommendedSection -
-
- Start/HideRestart -
-
- Start/HideShutDown -
-
- Start/HideSignOut -
-
- Start/HideSleep -
-
- Start/HideSwitchAccount -
-
- Start/HideTaskViewButton -
-
- Start/HideUserTile -
-
- Start/ImportEdgeAssets -
-
- Start/NoPinningToTaskbar -
-
- Start/SimplifyQuickSettings -
-
- Start/StartLayout -
-
- -### Storage policies - -
-
- Storage/AllowDiskHealthModelUpdates -
-
- Storage/AllowStorageSenseGlobal -
-
- Storage/AllowStorageSenseTemporaryFilesCleanup -
-
- Storage/ConfigStorageSenseCloudContentDehydrationThreshold -
-
- Storage/ConfigStorageSenseDownloadsCleanupThreshold -
-
- Storage/ConfigStorageSenseGlobalCadence -
-
- Storage/ConfigStorageSenseRecycleBinCleanupThreshold -
- Storage/EnhancedStorageDevices -
-
- Storage/RemovableDiskDenyWriteAccess -
-
- Storage/WPDDevicesDenyReadAccessPerDevice -
-
- Storage/WPDDevicesDenyReadAccessPerUser -
-
- Storage/WPDDevicesDenyWriteAccessPerDevice -
-
- Storage/WPDDevicesDenyWriteAccessPerUser -
-
- -### System policies - -
-
- System/AllowBuildPreview -
-
- System/AllowCommercialDataPipeline -
-
- System/AllowDeviceNameInDiagnosticData -
-
- System/AllowEmbeddedMode -
-
- System/AllowExperimentation -
-
- System/AllowFontProviders -
-
- System/AllowLocation -
-
- System/AllowStorageCard -
-
- System/AllowTelemetry -
-
- System/AllowUserToResetPhone -
-
- System/BootStartDriverInitialization -
-
- System/ConfigureMicrosoft365UploadEndpoint -
-
- System/ConfigureTelemetryOptInChangeNotification -
-
- System/ConfigureTelemetryOptInSettingsUx -
-
- System/DisableDeviceDelete -
-
- System/DisableDiagnosticDataViewer -
-
- System/DisableEnterpriseAuthProxy -
-
- System/DisableOneDriveFileSync -
-
- System/DisableSystemRestore -
-
- System/FeedbackHubAlwaysSaveDiagnosticsLocally -
-
- System/LimitDiagnosticLogCollection -
-
- System/LimitDumpCollection -
-
- System/LimitEnhancedDiagnosticDataWindowsAnalytics -
-
- System/TelemetryProxy -
-
- System/TurnOffFileHistory -
-
- -### SystemServices policies - -
-
- SystemServices/ConfigureHomeGroupListenerServiceStartupMode -
-
- SystemServices/ConfigureHomeGroupProviderServiceStartupMode -
-
- SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode -
-
- SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode -
-
- SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode -
-
- SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode -
-
- -### TaskManager policies - -
-
- TaskManager/AllowEndTask -
-
- -### TaskScheduler policies - -
-
- TaskScheduler/EnableXboxGameSaveTask -
-
- -### TextInput policies - -
-
- TextInput/AllowHardwareKeyboardTextSuggestions -
-
- TextInput/AllowIMELogging -
-
- TextInput/AllowIMENetworkAccess -
-
- TextInput/AllowInputPanel -
-
- TextInput/AllowJapaneseIMESurrogatePairCharacters -
-
- TextInput/AllowJapaneseIVSCharacters -
-
- TextInput/AllowJapaneseNonPublishingStandardGlyph -
-
- TextInput/AllowJapaneseUserDictionary -
-
- TextInput/AllowKeyboardTextSuggestions -
-
- TextInput/AllowKoreanExtendedHanja -
-
- TextInput/AllowLanguageFeaturesUninstall -
-
- TextInput/AllowLinguisticDataCollection -
-
- TextInput/AllowTextInputSuggestionUpdate -
-
- TextInput/ConfigureJapaneseIMEVersion -
-
- TextInput/ConfigureSimplifiedChineseIMEVersion -
-
- TextInput/ConfigureTraditionalChineseIMEVersion -
-
- TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode -
-
- TextInput/ExcludeJapaneseIMEExceptJIS0208 -
-
- TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC -
-
- TextInput/ExcludeJapaneseIMEExceptShiftJIS -
-
- TextInput/ForceTouchKeyboardDockedState -
-
- TextInput/TouchKeyboardDictationButtonAvailability -
-
- TextInput/TouchKeyboardEmojiButtonAvailability -
-
- TextInput/TouchKeyboardFullModeAvailability -
-
- TextInput/TouchKeyboardHandwritingModeAvailability -
-
- TextInput/TouchKeyboardNarrowModeAvailability -
-
- TextInput/TouchKeyboardSplitModeAvailability -
-
- TextInput/TouchKeyboardWideModeAvailability -
-
- -### TimeLanguageSettings policies - -
-
- TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks -
-
- TimeLanguageSettings/ConfigureTimeZone -
-
- TimeLanguageSettings/MachineUILanguageOverwrite -
-
- TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall -
-
- -### Troubleshooting policies - -
-
- Troubleshooting/AllowRecommendations -
-
- -### Update policies - -
-
- Update/ActiveHoursEnd -
-
- Update/ActiveHoursMaxRange -
-
- Update/ActiveHoursStart -
-
- Update/AllowAutoUpdate -
-
- Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork -
-
- Update/AllowMUUpdateService -
-
- Update/AllowNonMicrosoftSignedUpdate -
-
- Update/AllowUpdateService -
-
- Update/AutoRestartDeadlinePeriodInDays -
-
- Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates -
-
- Update/AutoRestartNotificationSchedule -
-
- Update/AutoRestartRequiredNotificationDismissal -
-
- Update/AutomaticMaintenanceWakeUp -
-
- Update/BranchReadinessLevel -
-
- Update/ConfigureDeadlineForFeatureUpdates -
-
- Update/ConfigureDeadlineForQualityUpdates -
-
- Update/ConfigureDeadlineGracePeriod -
-
- Update/ConfigureDeadlineGracePeriodForFeatureUpdates -
-
- Update/ConfigureDeadlineNoAutoReboot -
-
- Update/ConfigureFeatureUpdateUninstallPeriod -
-
- Update/DeferFeatureUpdatesPeriodInDays -
-
- Update/DeferQualityUpdatesPeriodInDays -
-
- Update/DeferUpdatePeriod -
-
- Update/DeferUpgradePeriod -
-
- Update/DetectionFrequency -
-
- Update/DisableDualScan -
-
- Update/DisableWUfBSafeguards -
-
- Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection -
-
- Update/EngagedRestartDeadline -
-
- Update/EngagedRestartDeadlineForFeatureUpdates -
-
- Update/EngagedRestartSnoozeSchedule -
-
- Update/EngagedRestartSnoozeScheduleForFeatureUpdates -
-
- Update/EngagedRestartTransitionSchedule -
-
- Update/EngagedRestartTransitionScheduleForFeatureUpdates -
-
- Update/ExcludeWUDriversInQualityUpdate -
-
- Update/FillEmptyContentUrls -
-
- Update/IgnoreMOAppDownloadLimit -
-
- Update/IgnoreMOUpdateDownloadLimit -
-
- Update/ManagePreviewBuilds -
-
- Update/PauseDeferrals -
-
- Update/PauseFeatureUpdates -
-
- Update/PauseFeatureUpdatesStartTime -
-
- Update/PauseQualityUpdates -
-
- Update/PauseQualityUpdatesStartTime -
-
- Update/PhoneUpdateRestrictions -
-
- Update/RequireDeferUpgrade -
-
- Update/RequireUpdateApproval -
-
- Update/ScheduleImminentRestartWarning -
-
- Update/ScheduleRestartWarning -
-
- Update/ScheduledInstallDay -
-
- Update/ScheduledInstallEveryWeek -
-
- Update/ScheduledInstallFirstWeek -
-
- Update/ScheduledInstallFourthWeek -
-
- Update/ScheduledInstallSecondWeek -
-
- Update/ScheduledInstallThirdWeek -
-
- Update/ScheduledInstallTime -
-
- Update/SetAutoRestartNotificationDisable -
-
- Update/SetDisablePauseUXAccess -
-
- Update/SetDisableUXWUAccess -
-
- Update/SetEDURestart -
-
- Update/SetPolicyDrivenUpdateSourceForDriverUpdates -
-
- Update/SetPolicyDrivenUpdateSourceForFeatureUpdates -
-
- Update/SetPolicyDrivenUpdateSourceForOtherUpdates -
-
- Update/SetPolicyDrivenUpdateSourceForQualityUpdates -
-
- Update/SetProxyBehaviorForUpdateDetection -
-
- Update/TargetReleaseVersion -
-
-
- Update/UpdateNotificationLevel -
-
- Update/UpdateServiceUrl -
-
- Update/UpdateServiceUrlAlternate -
-
- -### UserRights policies - -
-
- UserRights/AccessCredentialManagerAsTrustedCaller -
-
- UserRights/AccessFromNetwork -
-
- UserRights/ActAsPartOfTheOperatingSystem -
-
- UserRights/AllowLocalLogOn -
-
- UserRights/BackupFilesAndDirectories -
-
- UserRights/ChangeSystemTime -
-
- UserRights/CreateGlobalObjects -
-
- UserRights/CreatePageFile -
-
- UserRights/CreatePermanentSharedObjects -
-
- UserRights/CreateSymbolicLinks -
-
- UserRights/CreateToken -
-
- UserRights/DebugPrograms -
-
- UserRights/DenyAccessFromNetwork -
-
- UserRights/DenyLocalLogOn -
-
- UserRights/DenyRemoteDesktopServicesLogOn -
-
- UserRights/EnableDelegation -
-
- UserRights/GenerateSecurityAudits -
-
- UserRights/ImpersonateClient -
-
- UserRights/IncreaseSchedulingPriority -
-
- UserRights/LoadUnloadDeviceDrivers -
-
- UserRights/LockMemory -
-
- UserRights/ManageAuditingAndSecurityLog -
-
- UserRights/ManageVolume -
-
- UserRights/ModifyFirmwareEnvironment -
-
- UserRights/ModifyObjectLabel -
-
- UserRights/ProfileSingleProcess -
-
- UserRights/RemoteShutdown -
-
- UserRights/RestoreFilesAndDirectories -
-
- UserRights/TakeOwnership -
-
- -### VirtualizationBasedTechnology policies - -
-
- VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity -
-
- VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable -
-
- -### WebThreatDefense policies - -
-
- WebThreatDefense/EnableService -
-
- WebThreatDefense/NotifyMalicious -
-
- WebThreatDefense/NotifyPasswordReuse -
-
- WebThreatDefense/NotifyUnsafeApp -
-
- -### Wifi policies - -
-
- WiFi/AllowWiFiHotSpotReporting -
-
- Wifi/AllowAutoConnectToWiFiSenseHotspots -
-
- Wifi/AllowInternetSharing -
-
- Wifi/AllowManualWiFiConfiguration -
-
- Wifi/AllowWiFi -
-
- Wifi/AllowWiFiDirect -
-
- Wifi/WLANScanMode -
-
- -### WindowsAutoPilot policies - -
-
- WindowsAutoPilot/EnableAgilityPostEnrollment -
-
- -### WindowsConnectionManager policies - -
-
- WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork -
-
- -### WindowsDefenderSecurityCenter policies - -
-
- WindowsDefenderSecurityCenter/CompanyName -
-
- WindowsDefenderSecurityCenter/DisableAccountProtectionUI -
-
- WindowsDefenderSecurityCenter/DisableAppBrowserUI -
-
- WindowsDefenderSecurityCenter/DisableClearTpmButton -
-
- WindowsDefenderSecurityCenter/DisableDeviceSecurityUI -
-
- WindowsDefenderSecurityCenter/DisableEnhancedNotifications -
-
- WindowsDefenderSecurityCenter/DisableFamilyUI -
-
- WindowsDefenderSecurityCenter/DisableHealthUI -
-
- WindowsDefenderSecurityCenter/DisableNetworkUI -
-
- WindowsDefenderSecurityCenter/DisableNotifications -
-
- WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning -
-
- WindowsDefenderSecurityCenter/DisableVirusUI -
-
- WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride -
-
- WindowsDefenderSecurityCenter/Email -
-
- WindowsDefenderSecurityCenter/EnableCustomizedToasts -
-
- WindowsDefenderSecurityCenter/EnableInAppCustomization -
-
- WindowsDefenderSecurityCenter/HideRansomwareDataRecovery -
-
- WindowsDefenderSecurityCenter/HideSecureBoot -
-
- WindowsDefenderSecurityCenter/HideTPMTroubleshooting -
-
- WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl -
-
- WindowsDefenderSecurityCenter/Phone -
-
- WindowsDefenderSecurityCenter/URL -
-
- -### WindowsInkWorkspace policies - -
-
- WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace -
-
- WindowsInkWorkspace/AllowWindowsInkWorkspace -
-
- -### WindowsLogon policies - -
-
- WindowsLogon/AllowAutomaticRestartSignOn -
-
- WindowsLogon/ConfigAutomaticRestartSignOn -
-
- WindowsLogon/DisableLockScreenAppNotifications -
-
- WindowsLogon/DontDisplayNetworkSelectionUI -
-
- WindowsLogon/EnableFirstLogonAnimation -
-
- WindowsLogon/EnableMPRNotifications -
-
- WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers -
-
- WindowsLogon/HideFastUserSwitching -
-
- -### WindowsPowerShell policies - -
-
- WindowsPowerShell/TurnOnPowerShellScriptBlockLogging -
-
- -### WindowsSandbox policies - -
-
- WindowsSandbox/AllowAudioInput -
-
- WindowsSandbox/AllowClipboardRedirection -
-
- WindowsSandbox/AllowNetworking -
-
- WindowsSandbox/AllowPrinterRedirection -
-
- WindowsSandbox/AllowVGPU -
-
- WindowsSandbox/AllowVideoInput -
-
- -### WirelessDisplay policies - -
-
- WirelessDisplay/AllowMdnsAdvertisement -
-
- WirelessDisplay/AllowMdnsDiscovery -
-
- WirelessDisplay/AllowMovementDetectionOnInfrastructure -
-
- WirelessDisplay/AllowProjectionFromPC -
-
- WirelessDisplay/AllowProjectionFromPCOverInfrastructure -
-
- WirelessDisplay/AllowProjectionToPC -
-
- WirelessDisplay/AllowProjectionToPCOverInfrastructure -
-
- WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver -
-
- WirelessDisplay/RequirePinForPairing -
-
- - -## Policies in Policy CSP supported by Group Policy and ADMX-backed policies in Policy CSP -- [Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md) -- [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) - -> [!NOTE] -> Not all Policies in Policy CSP supported by Group Policy are ADMX-backed. For more details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). - -## Policies in Policy CSP supported by HoloLens devices -- [Policies in Policy CSP supported by HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md) -- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md) -- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](./policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md) - -## Policies in Policy CSP supported by Windows 10 IoT -- [Policies in Policy CSP supported by Windows 10 IoT Core](./policies-in-policy-csp-supported-by-iot-core.md) - -## Policies in Policy CSP supported by Microsoft Surface Hub -- [Policies in Policy CSP supported by Microsoft Surface Hub](./policies-in-policy-csp-supported-by-surface-hub.md) - -## Policies in Policy CSP that can be set using Exchange ActiveSync (EAS) -- [Policies in Policy CSP that can be set using Exchange ActiveSync (EAS)](./policies-in-policy-csp-that-can-be-set-using-eas.md) - -## Related topics - -[Configuration service provider reference](index.yml) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +#### Device/ConfigOperations/ADMXInstall/{AppName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName} +``` + + + +Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. | + + + + + + + + + +##### Device/ConfigOperations/ADMXInstall/{AppName}/{SettingsType} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType} +``` + + + +Setting Type of Win32 App. Policy Or Preference + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: Setting Type of Win32 App. Policy Or Preference | + + + + + + + + + +###### Device/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}/{AdmxFileId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}/{AdmxFileId} +``` + + + +Unique ID of ADMX file + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +##### Device/ConfigOperations/ADMXInstall/{AppName}/Properties + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties +``` + + + +Properties of Win32 App ADMX Ingestion + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +###### Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType} +``` + + + +Setting Type of Win32 App. Policy Or Preference + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: Setting Type of Win32 App. Policy Or Preference | + + + + + + + + + +###### Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId} +``` + + + +Unique ID of ADMX file + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +###### Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}/Version +``` + + + +Version of ADMX file. This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## Device/Result + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Result +``` + + + +Groups the evaluated policies from all providers that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/Result/{AreaName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Result/{AreaName} +``` + + + +The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### Device/Result/{AreaName}/{PolicyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName} +``` + + + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +## User/Config + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config +``` + + + +Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +### User/Config/{AreaName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config/{AreaName} +``` + + + +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + + + + +The following list shows some tips to help you when configuring policies: + +- Separate substring values by Unicode `0xF000` in the XML file. + > [!NOTE] + > A query from a different caller could provide a different value as each caller could have different values for a named policy. +- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. +- Supported operations are Add, Get, Delete, and Replace. +- Value type is string. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### User/Config/{AreaName}/{PolicyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName} +``` + + + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +## User/Result + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Result +``` + + + +Groups the evaluated policies from all providers that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/Result/{AreaName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Result/{AreaName} +``` + + + +The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### User/Result/{AreaName}/{PolicyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName} +``` + + + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + +## Policy Areas + +- [AboveLock](policy-csp-abovelock.md) +- [Accounts](policy-csp-accounts.md) +- [ActiveXControls](policy-csp-activexcontrols.md) +- [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md) +- [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) +- [ADMX_AdmPwd](policy-csp-admx-admpwd.md) +- [ADMX_AppCompat](policy-csp-admx-appcompat.md) +- [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md) +- [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md) +- [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md) +- [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) +- [ADMX_Bits](policy-csp-admx-bits.md) +- [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) +- [ADMX_COM](policy-csp-admx-com.md) +- [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) +- [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md) +- [ADMX_Cpls](policy-csp-admx-cpls.md) +- [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md) +- [ADMX_CredSsp](policy-csp-admx-credssp.md) +- [ADMX_CredUI](policy-csp-admx-credui.md) +- [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) +- [ADMX_DataCollection](policy-csp-admx-datacollection.md) +- [ADMX_DCOM](policy-csp-admx-dcom.md) +- [ADMX_Desktop](policy-csp-admx-desktop.md) +- [ADMX_DeviceCompat](policy-csp-admx-devicecompat.md) +- [ADMX_DeviceGuard](policy-csp-admx-deviceguard.md) +- [ADMX_DeviceInstallation](policy-csp-admx-deviceinstallation.md) +- [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md) +- [ADMX_DFS](policy-csp-admx-dfs.md) +- [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) +- [ADMX_DiskDiagnostic](policy-csp-admx-diskdiagnostic.md) +- [ADMX_DiskNVCache](policy-csp-admx-disknvcache.md) +- [ADMX_DiskQuota](policy-csp-admx-diskquota.md) +- [ADMX_DistributedLinkTracking](policy-csp-admx-distributedlinktracking.md) +- [ADMX_DnsClient](policy-csp-admx-dnsclient.md) +- [ADMX_DWM](policy-csp-admx-dwm.md) +- [ADMX_EAIME](policy-csp-admx-eaime.md) +- [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md) +- [ADMX_EnhancedStorage](policy-csp-admx-enhancedstorage.md) +- [ADMX_ErrorReporting](policy-csp-admx-errorreporting.md) +- [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md) +- [ADMX_EventLog](policy-csp-admx-eventlog.md) +- [ADMX_EventLogging](policy-csp-admx-eventlogging.md) +- [ADMX_EventViewer](policy-csp-admx-eventviewer.md) +- [ADMX_Explorer](policy-csp-admx-explorer.md) +- [ADMX_ExternalBoot](policy-csp-admx-externalboot.md) +- [ADMX_FileRecovery](policy-csp-admx-filerecovery.md) +- [ADMX_FileRevocation](policy-csp-admx-filerevocation.md) +- [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md) +- [ADMX_FileSys](policy-csp-admx-filesys.md) +- [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md) +- [ADMX_FramePanes](policy-csp-admx-framepanes.md) +- [ADMX_fthsvc](policy-csp-admx-fthsvc.md) +- [ADMX_Globalization](policy-csp-admx-globalization.md) +- [ADMX_GroupPolicy](policy-csp-admx-grouppolicy.md) +- [ADMX_Help](policy-csp-admx-help.md) +- [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md) +- [ADMX_hotspotauth](policy-csp-admx-hotspotauth.md) +- [ADMX_ICM](policy-csp-admx-icm.md) +- [ADMX_IIS](policy-csp-admx-iis.md) +- [ADMX_iSCSI](policy-csp-admx-iscsi.md) +- [ADMX_kdc](policy-csp-admx-kdc.md) +- [ADMX_Kerberos](policy-csp-admx-kerberos.md) +- [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md) +- [ADMX_LanmanWorkstation](policy-csp-admx-lanmanworkstation.md) +- [ADMX_LeakDiagnostic](policy-csp-admx-leakdiagnostic.md) +- [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md) +- [ADMX_LocationProviderAdm](policy-csp-admx-locationprovideradm.md) +- [ADMX_Logon](policy-csp-admx-logon.md) +- [ADMX_MicrosoftDefenderAntivirus](policy-csp-admx-microsoftdefenderantivirus.md) +- [ADMX_MMC](policy-csp-admx-mmc.md) +- [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md) +- [ADMX_MobilePCMobilityCenter](policy-csp-admx-mobilepcmobilitycenter.md) +- [ADMX_MobilePCPresentationSettings](policy-csp-admx-mobilepcpresentationsettings.md) +- [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md) +- [ADMX_msched](policy-csp-admx-msched.md) +- [ADMX_MSDT](policy-csp-admx-msdt.md) +- [ADMX_MSI](policy-csp-admx-msi.md) +- [ADMX_MsiFileRecovery](policy-csp-admx-msifilerecovery.md) +- [ADMX_MSS-legacy](policy-csp-admx-mss-legacy.md) +- [ADMX_nca](policy-csp-admx-nca.md) +- [ADMX_NCSI](policy-csp-admx-ncsi.md) +- [ADMX_Netlogon](policy-csp-admx-netlogon.md) +- [ADMX_NetworkConnections](policy-csp-admx-networkconnections.md) +- [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md) +- [ADMX_pca](policy-csp-admx-pca.md) +- [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md) +- [ADMX_PenTraining](policy-csp-admx-pentraining.md) +- [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md) +- [ADMX_Power](policy-csp-admx-power.md) +- [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md) +- [ADMX_PreviousVersions](policy-csp-admx-previousversions.md) +- [ADMX_Printing](policy-csp-admx-printing.md) +- [ADMX_Printing2](policy-csp-admx-printing2.md) +- [ADMX_Programs](policy-csp-admx-programs.md) +- [ADMX_PushToInstall](policy-csp-admx-pushtoinstall.md) +- [ADMX_QOS](policy-csp-admx-qos.md) +- [ADMX_Radar](policy-csp-admx-radar.md) +- [ADMX_Reliability](policy-csp-admx-reliability.md) +- [ADMX_RemoteAssistance](policy-csp-admx-remoteassistance.md) +- [ADMX_RemovableStorage](policy-csp-admx-removablestorage.md) +- [ADMX_RPC](policy-csp-admx-rpc.md) +- [ADMX_sam](policy-csp-admx-sam.md) +- [ADMX_Scripts](policy-csp-admx-scripts.md) +- [ADMX_sdiageng](policy-csp-admx-sdiageng.md) +- [ADMX_sdiagschd](policy-csp-admx-sdiagschd.md) +- [ADMX_Securitycenter](policy-csp-admx-securitycenter.md) +- [ADMX_Sensors](policy-csp-admx-sensors.md) +- [ADMX_ServerManager](policy-csp-admx-servermanager.md) +- [ADMX_Servicing](policy-csp-admx-servicing.md) +- [ADMX_SettingSync](policy-csp-admx-settingsync.md) +- [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md) +- [ADMX_Sharing](policy-csp-admx-sharing.md) +- [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md) +- [ADMX_Smartcard](policy-csp-admx-smartcard.md) +- [ADMX_Snmp](policy-csp-admx-snmp.md) +- [ADMX_SoundRec](policy-csp-admx-soundrec.md) +- [ADMX_srmfci](policy-csp-admx-srmfci.md) +- [ADMX_StartMenu](policy-csp-admx-startmenu.md) +- [ADMX_SystemRestore](policy-csp-admx-systemrestore.md) +- [ADMX_TabletPCInputPanel](policy-csp-admx-tabletpcinputpanel.md) +- [ADMX_TabletShell](policy-csp-admx-tabletshell.md) +- [ADMX_Taskbar](policy-csp-admx-taskbar.md) +- [ADMX_tcpip](policy-csp-admx-tcpip.md) +- [ADMX_TerminalServer](policy-csp-admx-terminalserver.md) +- [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) +- [ADMX_TouchInput](policy-csp-admx-touchinput.md) +- [ADMX_TPM](policy-csp-admx-tpm.md) +- [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) +- [ADMX_UserProfiles](policy-csp-admx-userprofiles.md) +- [ADMX_W32Time](policy-csp-admx-w32time.md) +- [ADMX_WCM](policy-csp-admx-wcm.md) +- [ADMX_WDI](policy-csp-admx-wdi.md) +- [ADMX_WinCal](policy-csp-admx-wincal.md) +- [ADMX_WindowsColorSystem](policy-csp-admx-windowscolorsystem.md) +- [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) +- [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) +- [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) +- [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) +- [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md) +- [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) +- [ADMX_WinInit](policy-csp-admx-wininit.md) +- [ADMX_WinLogon](policy-csp-admx-winlogon.md) +- [ADMX_Winsrv](policy-csp-admx-winsrv.md) +- [ADMX_wlansvc](policy-csp-admx-wlansvc.md) +- [ADMX_WordWheel](policy-csp-admx-wordwheel.md) +- [ADMX_WorkFoldersClient](policy-csp-admx-workfoldersclient.md) +- [ADMX_WPN](policy-csp-admx-wpn.md) +- [ApplicationDefaults](policy-csp-applicationdefaults.md) +- [ApplicationManagement](policy-csp-applicationmanagement.md) +- [AppRuntime](policy-csp-appruntime.md) +- [AppVirtualization](policy-csp-appvirtualization.md) +- [AttachmentManager](policy-csp-attachmentmanager.md) +- [Audit](policy-csp-audit.md) +- [Authentication](policy-csp-authentication.md) +- [Autoplay](policy-csp-autoplay.md) +- [Bitlocker](policy-csp-bitlocker.md) +- [BITS](policy-csp-bits.md) +- [Bluetooth](policy-csp-bluetooth.md) +- [Browser](policy-csp-browser.md) +- [Camera](policy-csp-camera.md) +- [Cellular](policy-csp-cellular.md) +- [CloudDesktop](policy-csp-clouddesktop.md) +- [CloudPC](policy-csp-cloudpc.md) +- [Connectivity](policy-csp-connectivity.md) +- [ControlPolicyConflict](policy-csp-controlpolicyconflict.md) +- [CredentialProviders](policy-csp-credentialproviders.md) +- [CredentialsDelegation](policy-csp-credentialsdelegation.md) +- [CredentialsUI](policy-csp-credentialsui.md) +- [Cryptography](policy-csp-cryptography.md) +- [DataProtection](policy-csp-dataprotection.md) +- [DataUsage](policy-csp-datausage.md) +- [Defender](policy-csp-defender.md) +- [DeliveryOptimization](policy-csp-deliveryoptimization.md) +- [Desktop](policy-csp-desktop.md) +- [DesktopAppInstaller](policy-csp-desktopappinstaller.md) +- [DeviceGuard](policy-csp-deviceguard.md) +- [DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md) +- [DeviceInstallation](policy-csp-deviceinstallation.md) +- [DeviceLock](policy-csp-devicelock.md) +- [Display](policy-csp-display.md) +- [DmaGuard](policy-csp-dmaguard.md) +- [Eap](policy-csp-eap.md) +- [Education](policy-csp-education.md) +- [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md) +- [ErrorReporting](policy-csp-errorreporting.md) +- [EventLogService](policy-csp-eventlogservice.md) +- [Experience](policy-csp-experience.md) +- [ExploitGuard](policy-csp-exploitguard.md) +- [FederatedAuthentication](policy-csp-federatedauthentication.md) +- [FileExplorer](policy-csp-fileexplorer.md) +- [Games](policy-csp-games.md) +- [Handwriting](policy-csp-handwriting.md) +- [HumanPresence](policy-csp-humanpresence.md) +- [InternetExplorer](policy-csp-internetexplorer.md) +- [Kerberos](policy-csp-kerberos.md) +- [KioskBrowser](policy-csp-kioskbrowser.md) +- [LanmanWorkstation](policy-csp-lanmanworkstation.md) +- [Licensing](policy-csp-licensing.md) +- [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) +- [LocalSecurityAuthority](policy-csp-lsa.md) +- [LocalUsersAndGroups](policy-csp-localusersandgroups.md) +- [LockDown](policy-csp-lockdown.md) +- [Maps](policy-csp-maps.md) +- [MemoryDump](policy-csp-memorydump.md) +- [Messaging](policy-csp-messaging.md) +- [MixedReality](policy-csp-mixedreality.md) +- [MSSecurityGuide](policy-csp-mssecurityguide.md) +- [MSSLegacy](policy-csp-msslegacy.md) +- [Multitasking](policy-csp-multitasking.md) +- [NetworkIsolation](policy-csp-networkisolation.md) +- [NetworkListManager](policy-csp-networklistmanager.md) +- [NewsAndInterests](policy-csp-newsandinterests.md) +- [Notifications](policy-csp-notifications.md) +- [Power](policy-csp-power.md) +- [Printers](policy-csp-printers.md) +- [Privacy](policy-csp-privacy.md) +- [RemoteAssistance](policy-csp-remoteassistance.md) +- [RemoteDesktop](policy-csp-remotedesktop.md) +- [RemoteDesktopServices](policy-csp-remotedesktopservices.md) +- [RemoteManagement](policy-csp-remotemanagement.md) +- [RemoteProcedureCall](policy-csp-remoteprocedurecall.md) +- [RemoteShell](policy-csp-remoteshell.md) +- [RestrictedGroups](policy-csp-restrictedgroups.md) +- [Search](policy-csp-search.md) +- [Security](policy-csp-security.md) +- [ServiceControlManager](policy-csp-servicecontrolmanager.md) +- [Settings](policy-csp-settings.md) +- [SettingsSync](policy-csp-settingssync.md) +- [SmartScreen](policy-csp-smartscreen.md) +- [Speech](policy-csp-speech.md) +- [Start](policy-csp-start.md) +- [Stickers](policy-csp-stickers.md) +- [Storage](policy-csp-storage.md) +- [System](policy-csp-system.md) +- [SystemServices](policy-csp-systemservices.md) +- [TaskManager](policy-csp-taskmanager.md) +- [TaskScheduler](policy-csp-taskscheduler.md) +- [TenantDefinedTelemetry](policy-csp-tenantdefinedtelemetry.md) +- [TenantRestrictions](policy-csp-tenantrestrictions.md) +- [TextInput](policy-csp-textinput.md) +- [TimeLanguageSettings](policy-csp-timelanguagesettings.md) +- [Troubleshooting](policy-csp-troubleshooting.md) +- [Update](policy-csp-update.md) +- [UserRights](policy-csp-userrights.md) +- [VirtualizationBasedTechnology](policy-csp-virtualizationbasedtechnology.md) +- [WebThreatDefense](policy-csp-webthreatdefense.md) +- [Wifi](policy-csp-wifi.md) +- [WindowsAutopilot](policy-csp-windowsautopilot.md) +- [WindowsConnectionManager](policy-csp-windowsconnectionmanager.md) +- [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md) +- [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md) +- [WindowsLogon](policy-csp-windowslogon.md) +- [WindowsPowerShell](policy-csp-windowspowershell.md) +- [WindowsSandbox](policy-csp-windowssandbox.md) +- [WirelessDisplay](policy-csp-wirelessdisplay.md) + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md new file mode 100644 index 0000000000..a22c707db1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md @@ -0,0 +1,812 @@ +--- +title: ADMX_MSS-legacy Policy CSP +description: Learn more about the ADMX_MSS-legacy Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - ADMX_MSS-legacy + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## Pol_MSS_AutoAdminLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoAdminLogon +``` + + + + + + + + +Enable Automatic Logon (not recommended). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_AutoReboot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoReboot +``` + + + + + + + + +Allow Windows to automatically restart after a system crash (recommended except for highly secure environments). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_AutoShareServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareServer +``` + + + + + + + + +Enable administrative shares on servers (recommended except for highly secure environments). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_AutoShareWks + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareWks +``` + + + + + + + + +Enable administrative shares on workstations (recommended except for highly secure environments). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_DisableSavePassword + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_DisableSavePassword +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + +Prevent the dial-up password from being saved (recommended). + + + + + +## Pol_MSS_EnableDeadGWDetect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_EnableDeadGWDetect +``` + + + + + + + + +Allow automatic detection of dead network gateways (could lead to DoS). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_HideFromBrowseList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_HideFromBrowseList +``` + + + + + + + + +Hide Computer From the Browse List (not recommended except for highly secure environments). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_KeepAliveTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_KeepAliveTime +``` + + + + + + + + +Define how often keep-alive packets are sent in milliseconds. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_NoDefaultExempt + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NoDefaultExempt +``` + + + + + + + + +Configure IPSec exemptions for various types of network traffic. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_NtfsDisable8dot3NameCreation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NtfsDisable8dot3NameCreation +``` + + + + + + + + +Enable the computer to stop generating 8.3 style filenames. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_PerformRouterDiscovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_PerformRouterDiscovery +``` + + + + + + + + + Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_SafeDllSearchMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SafeDllSearchMode +``` + + + + + + + + +Enable Safe DLL search mode (recommended). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_ScreenSaverGracePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_ScreenSaverGracePeriod +``` + + + + + + + + +he time in seconds before the screen saver grace period expires (0 recommended). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_SynAttackProtect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SynAttackProtect +``` + + + + + + + + +Syn attack protection level (protects against DoS). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_TcpMaxConnectResponseRetransmissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxConnectResponseRetransmissions +``` + + + + + + + + +SYN-ACK retransmissions when a connection request is not acknowledged. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_TcpMaxDataRetransmissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissions +``` + + + + + + + + +Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_TcpMaxDataRetransmissionsIPv6 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissionsIPv6 +``` + + + + + + + + +Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_WarningLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_WarningLevel +``` + + + + + + + + +Percentage threshold for the security event log at which the system will generate a warning. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md new file mode 100644 index 0000000000..615fe1f468 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-qos.md @@ -0,0 +1,1145 @@ +--- +title: ADMX_QOS Policy CSP +description: Learn more about the ADMX_QOS Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - ADMX_QOS + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## QosMaxOutstandingSends + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosMaxOutstandingSends +``` + + + +Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets reaches this limit, the Packet Scheduler postpones all submissions to network adapters until the number falls below this limit. + +"Outstanding packets" are packets that the Packet Scheduler has submitted to a network adapter for transmission, but which have not yet been sent. + +If you enable this setting, you can limit the number of outstanding packets. + +If you disable this setting or do not configure it, then the setting has no effect on the system. + +Important: If the maximum number of outstanding packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosMaxOutstandingSends | +| Friendly Name | Limit outstanding packets | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosNonBestEffortLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosNonBestEffortLimit +``` + + + +Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth reservations of all programs running on the system. + +By default, the Packet Scheduler limits the system to 80 percent of the bandwidth of a connection, but you can use this setting to override the default. + +If you enable this setting, you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve. + +If you disable this setting or do not configure it, the system uses the default value of 80 percent of the connection. + +Important: If a bandwidth limit is set for a particular network adapter in the registry, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosNonBestEffortLimit | +| Friendly Name | Limit reservable bandwidth | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeBestEffort_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeBestEffort_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeBestEffort_C | +| Friendly Name | Best effort service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeBestEffort_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeBestEffort_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeBestEffort_NC | +| Friendly Name | Best effort service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeBestEffort_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeBestEffort_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Best Effort service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeBestEffort_PV | +| Friendly Name | Best effort service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeControlledLoad_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeControlledLoad_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. + +If you disable this setting, the system uses the default DSCP value of 24 (0x18). + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeControlledLoad_C | +| Friendly Name | Controlled load service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeControlledLoad_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeControlledLoad_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeControlledLoad_NC | +| Friendly Name | Controlled load service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeControlledLoad_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeControlledLoad_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Controlled Load service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeControlledLoad_PV | +| Friendly Name | Controlled load service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeGuaranteed_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeGuaranteed_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. + +If you disable this setting, the system uses the default DSCP value of 40 (0x28). + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeGuaranteed_C | +| Friendly Name | Guaranteed service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeGuaranteed_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeGuaranteed_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeGuaranteed_NC | +| Friendly Name | Guaranteed service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeGuaranteed_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeGuaranteed_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Guaranteed service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeGuaranteed_PV | +| Friendly Name | Guaranteed service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeNetworkControl_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNetworkControl_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Network Control service type. + +If you disable this setting, the system uses the default DSCP value of 48 (0x30). + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeNetworkControl_C | +| Friendly Name | Network control service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeNetworkControl_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNetworkControl_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Network Control service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeNetworkControl_NC | +| Friendly Name | Network control service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeNetworkControl_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNetworkControl_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Network Control service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeNetworkControl_PV | +| Friendly Name | Network control service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeNonConforming + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNonConforming +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with nonconforming packets. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for nonconforming packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeNonConforming | +| Friendly Name | Non-conforming packets | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeQualitative_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeQualitative_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeQualitative_C | +| Friendly Name | Qualitative service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeQualitative_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeQualitative_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeQualitative_NC | +| Friendly Name | Qualitative service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeQualitative_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeQualitative_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Qualitative service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeQualitative_PV | +| Friendly Name | Qualitative service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosTimerResolution + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosTimerResolution +``` + + + +Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry. + +If you enable this setting, you can override the default timer resolution established for the system, usually units of 10 microseconds. + +If you disable this setting or do not configure it, the setting has no effect on the system. + +Important: If a timer resolution is specified in the registry for a particular network adapter, then this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosTimerResolution | +| Friendly Name | Set timer resolution | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched | +| ADMX File Name | QOS.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md new file mode 100644 index 0000000000..16f8928707 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-sam.md @@ -0,0 +1,113 @@ +--- +title: ADMX_sam Policy CSP +description: Learn more about the ADMX_sam Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - ADMX_sam + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## SamNGCKeyROCAValidation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sam/SamNGCKeyROCAValidation +``` + + + +This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability. + +For more information on the ROCA vulnerability, please see: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361 + +https://en.wikipedia.org/wiki/ROCA_vulnerability + +If you enable this policy setting the following options are supported: + +Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability. + +Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). + +Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail). + +This setting only takes effect on domain controllers. + +If not configured, domain controllers will default to using their local configuration. The default local configuration is Audit. + +A reboot is not required for changes to this setting to take effect. + +Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs. + +More information is available at https://go.microsoft.com/fwlink/?linkid=2116430. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SamNGCKeyROCAValidation | +| Friendly Name | Configure validation of ROCA-vulnerable WHfB keys during authentication | +| Location | Computer Configuration | +| Path | System > Security Account Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM | +| ADMX File Name | sam.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md new file mode 100644 index 0000000000..b8297ea689 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md @@ -0,0 +1,1038 @@ +--- +title: ADMX_TabletPCInputPanel Policy CSP +description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - ADMX_TabletPCInputPanel + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## AutoComplete_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_2 +``` + + + +Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoComplete | +| Friendly Name | Turn off AutoComplete integration with Input Panel | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableACIntegration | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## EdgeTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_2 +``` + + + +Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EdgeTarget | +| Friendly Name | Prevent Input Panel tab from appearing | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableEdgeTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## IPTIPTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_2 +``` + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTarget | +| Friendly Name | For tablet pen input, don’t show the Input Panel icon | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## IPTIPTouchTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_2 +``` + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTouchTarget | +| Friendly Name | For touch input, don’t show the Input Panel icon | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTouchTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## PasswordSecurity_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_2 +``` + + + +Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. + +Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PasswordSecurity | +| Friendly Name | Turn off password security in Input Panel | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | PasswordSecurityState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## Prediction_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_2 +``` + + + +Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnablePrediction | +| Friendly Name | Disable text prediction | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisablePrediction | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## RareChar_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_2 +``` + + + +Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. + +Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RareChar | +| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | IncludeRareChar | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## ScratchOut_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_2 +``` + + + +Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. + +The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ScratchOut | +| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | ScratchOutState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## AutoComplete_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_1 +``` + + + +Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoComplete | +| Friendly Name | Turn off AutoComplete integration with Input Panel | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableACIntegration | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## EdgeTarget_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_1 +``` + + + +Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EdgeTarget | +| Friendly Name | Prevent Input Panel tab from appearing | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableEdgeTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## IPTIPTarget_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_1 +``` + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTarget | +| Friendly Name | For tablet pen input, don’t show the Input Panel icon | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## IPTIPTouchTarget_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_1 +``` + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTouchTarget | +| Friendly Name | For touch input, don’t show the Input Panel icon | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTouchTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## PasswordSecurity_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_1 +``` + + + +Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. + +Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PasswordSecurity | +| Friendly Name | Turn off password security in Input Panel | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | PasswordSecurityState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## Prediction_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_1 +``` + + + +Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnablePrediction | +| Friendly Name | Disable text prediction | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisablePrediction | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## RareChar_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_1 +``` + + + +Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. + +Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RareChar | +| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | IncludeRareChar | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## ScratchOut_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_1 +``` + + + +Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. + +The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ScratchOut | +| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | ScratchOutState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md new file mode 100644 index 0000000000..c0907eacb8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-clouddesktop.md @@ -0,0 +1,80 @@ +--- +title: CloudDesktop Policy CSP +description: Learn more about the CloudDesktop Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/22/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - CloudDesktop + + + + + + +## BootToCloudMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode +``` + + + +This policy is used by IT admin to set the configuration mode of cloud PC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | +| Dependency [OverrideShellProgramDependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
| + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not Configured | +| 1 | Enable Boot to Cloud Desktop | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-cloudpc.md b/windows/client-management/mdm/policy-csp-cloudpc.md new file mode 100644 index 0000000000..0c497a0c4e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-cloudpc.md @@ -0,0 +1,79 @@ +--- +title: CloudPC Policy CSP +description: Learn more about the CloudPC Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/02/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - CloudPC + + + + + + +## CloudPCConfiguration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/CloudPC/CloudPCConfiguration +``` + + + +This policy is used by IT admin to set the configuration mode of cloud PC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Fast Switching Configuration. | +| 1 | Boot to cloud PC Configuration. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index c23b7be9a8..efc7a8a312 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,2439 +1,2794 @@ --- -title: Policy CSP - Defender -description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives. +title: Defender Policy CSP +description: Learn more about the Defender Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/02/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 05/12/2022 -ms.reviewer: -manager: aaroncz -ms.collection: highpri +ms.topic: reference --- + + + # Policy CSP - Defender + + + + + +## AllowArchiveScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowArchiveScanning +``` + + + +This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. + +If you enable or do not configure this setting, archive files will be scanned. + +If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off scanning on archived files. | +| 1 (Default) | Allowed. Scans the archive files. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableArchiveScanning | +| Friendly Name | Scan archive files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableArchiveScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowBehaviorMonitoring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -
- - -## Defender policies - -
-
- Defender/AllowArchiveScanning -
-
- Defender/AllowBehaviorMonitoring -
-
- Defender/AllowCloudProtection -
-
- Defender/AllowEmailScanning -
-
- Defender/AllowFullScanOnMappedNetworkDrives -
-
- Defender/AllowFullScanRemovableDriveScanning -
-
- Defender/AllowIOAVProtection -
-
- Defender/AllowOnAccessProtection -
-
- Defender/AllowRealtimeMonitoring -
-
- Defender/AllowScanningNetworkFiles -
-
- Defender/AllowScriptScanning -
-
- Defender/AllowUserUIAccess -
-
- Defender/AttackSurfaceReductionOnlyExclusions -
-
- Defender/AttackSurfaceReductionRules -
-
- Defender/AvgCPULoadFactor -
-
- Defender/CheckForSignaturesBeforeRunningScan -
-
- Defender/CloudBlockLevel -
-
- Defender/CloudExtendedTimeout -
-
- Defender/ControlledFolderAccessAllowedApplications -
-
- Defender/ControlledFolderAccessProtectedFolders -
-
- Defender/DaysToRetainCleanedMalware -
-
- Defender/DisableCatchupFullScan -
-
- Defender/DisableCatchupQuickScan -
-
- Defender/EnableControlledFolderAccess -
-
- Defender/EnableLowCPUPriority -
-
- Defender/EnableNetworkProtection -
-
- Defender/ExcludedExtensions -
-
- Defender/ExcludedPaths -
-
- Defender/ExcludedProcesses -
-
- Defender/PUAProtection -
-
- Defender/RealTimeScanDirection -
-
- Defender/ScanParameter -
-
- Defender/ScheduleQuickScanTime -
-
- Defender/ScheduleScanDay -
-
- Defender/ScheduleScanTime -
-
- Defender/SecurityIntelligenceLocation -
-
- Defender/SignatureUpdateFallbackOrder -
-
- Defender/SignatureUpdateFileSharesSources -
-
- Defender/SignatureUpdateInterval -
-
- Defender/SubmitSamplesConsent -
-
- Defender/ThreatSeverityDefaultAction -
-
- - -
- - -**Defender/AllowArchiveScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -Allows or disallows scanning of archives. - - - -ADMX Info: -- GP Friendly name: *Scan archive files* -- GP name: *Scan_DisableArchiveScanning* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off scanning on archived files. -- 1 (default) – Allowed. Scans the archive files. - - - - -
- - -**Defender/AllowBehaviorMonitoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -Allows or disallows Windows Defender Behavior Monitoring functionality. - - - -ADMX Info: -- GP Friendly name: *Turn on behavior monitoring* -- GP name: *RealtimeProtection_DisableBehaviorMonitoring* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off behavior monitoring. -- 1 (default) – Allowed. Turns on real-time behavior monitoring. - - - - -
- - -**Defender/AllowCloudProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. - - - -ADMX Info: -- GP Friendly name: *Join Microsoft MAPS* -- GP name: *SpynetReporting* -- GP element: *SpynetReporting* -- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off the Microsoft Active Protection Service. -- 1 (default) – Allowed. Turns on the Microsoft Active Protection Service. - - - - -
- - -**Defender/AllowEmailScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows scanning of email. - - - -ADMX Info: -- GP Friendly name: *Turn on e-mail scanning* -- GP name: *Scan_DisableEmailScanning* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – Not allowed. Turns off email scanning. -- 1 – Allowed. Turns on email scanning. - - - - -
- - -**Defender/AllowFullScanOnMappedNetworkDrives** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows a full scan of mapped network drives. - - - -ADMX Info: -- GP Friendly name: *Run full scan on mapped network drives* -- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – Not allowed. Disables scanning on mapped network drives. -- 1 – Allowed. Scans mapped network drives. - - - - -
- - -**Defender/AllowFullScanRemovableDriveScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned. - - - -ADMX Info: -- GP Friendly name: *Scan removable drives* -- GP name: *Scan_DisableRemovableDriveScanning* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off scanning on removable drives. -- 1 (default) – Allowed. Scans removable drives. - - - - -
- - -**Defender/AllowIOAVProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows Windows Defender IOAVP Protection functionality. - - - -ADMX Info: -- GP Friendly name: *Scan all downloaded files and attachments* -- GP name: *RealtimeProtection_DisableIOAVProtection* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
- - -**Defender/AllowOnAccessProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows Windows Defender On Access Protection functionality. - - - -ADMX Info: -- GP Friendly name: *Monitor file and program activity on your computer* -- GP name: *RealtimeProtection_DisableOnAccessProtection* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -> [!IMPORTANT] -> AllowOnAccessProtection is officially being deprecated. - -
- - -**Defender/AllowRealtimeMonitoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows Windows Defender real-time Monitoring functionality. - - - -ADMX Info: -- GP Friendly name: *Turn off real-time protection* -- GP name: *DisableRealtimeMonitoring* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off the real-time monitoring service. -- 1 (default) – Allowed. Turns on and runs the real-time monitoring service. - - - - -
- - -**Defender/AllowScanningNetworkFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows a scanning of network files. - - - -ADMX Info: -- GP Friendly name: *Scan network files* -- GP name: *Scan_DisableScanningNetworkFiles* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off scanning of network files. -- 1 (default) – Allowed. Scans network files. - - - - -
- - -**Defender/AllowScriptScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowBehaviorMonitoring +``` + + + +This policy setting allows you to configure behavior monitoring. + +If you enable or do not configure this setting, behavior monitoring will be enabled. + +If you disable this setting, behavior monitoring will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off behavior monitoring. | +| 1 (Default) | Allowed. Turns on real-time behavior monitoring. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableBehaviorMonitoring | +| Friendly Name | Turn on behavior monitoring | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableBehaviorMonitoring | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowCloudProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowCloudProtection +``` + + + +This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. + +You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. + +Possible options are: +(0x0) Disabled (default) +(0x1) Basic membership +(0x2) Advanced membership + +Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. + +Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. + +If you enable this setting, you will join Microsoft MAPS with the membership specified. + +If you disable or do not configure this setting, you will not join Microsoft MAPS. + +In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off the Microsoft Active Protection Service. | +| 1 (Default) | Allowed. Turns on the Microsoft Active Protection Service. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SpynetReporting | +| Friendly Name | Join Microsoft MAPS | +| Element Name | Join Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | SpynetReporting | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowEmailScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowEmailScanning +``` + + + +This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients. + +If you enable this setting, e-mail scanning will be enabled. + +If you disable or do not configure this setting, e-mail scanning will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. Turns off email scanning. | +| 1 | Allowed. Turns on email scanning. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableEmailScanning | +| Friendly Name | Turn on e-mail scanning | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableEmailScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowFullScanOnMappedNetworkDrives + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowFullScanOnMappedNetworkDrives +``` + + + +This policy setting allows you to configure scanning mapped network drives. + +If you enable this setting, mapped network drives will be scanned. + +If you disable or do not configure this setting, mapped network drives will not be scanned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. Disables scanning on mapped network drives. | +| 1 | Allowed. Scans mapped network drives. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableScanningMappedNetworkDrivesForFullScan | +| Friendly Name | Run full scan on mapped network drives | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableScanningMappedNetworkDrivesForFullScan | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowFullScanRemovableDriveScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowFullScanRemovableDriveScanning +``` + + + +This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. + +If you enable this setting, removable drives will be scanned during any type of scan. + +If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off scanning on removable drives. | +| 1 (Default) | Allowed. Scans removable drives. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableRemovableDriveScanning | +| Friendly Name | Scan removable drives | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableRemovableDriveScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowIntrusionPreventionSystem + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowIntrusionPreventionSystem +``` + + + +Allows or disallows Windows Defender Intrusion Prevention functionality. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowIOAVProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowIOAVProtection +``` + + + +This policy setting allows you to configure scanning for all downloaded files and attachments. + +If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. + +If you disable this setting, scanning for all downloaded files and attachments will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableIOAVProtection | +| Friendly Name | Scan all downloaded files and attachments | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableIOAVProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowOnAccessProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowOnAccessProtection +``` + + + +This policy setting allows you to configure monitoring for file and program activity. + +If you enable or do not configure this setting, monitoring for file and program activity will be enabled. + +If you disable this setting, monitoring for file and program activity will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableOnAccessProtection | +| Friendly Name | Monitor file and program activity on your computer | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableOnAccessProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowRealtimeMonitoring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring +``` + + + +This policy turns off real-time protection in Microsoft Defender Antivirus. + +Real-time protection consists of always-on scanning with file and process behavior monitoring and heuristics. When real-time protection is on, Microsoft Defender Antivirus detects malware and potentially unwanted software that attempts to install itself or run on your device, and prompts you to take action on malware detections. + +If you enable this policy setting, real-time protection is turned off. + +If you either disable or do not configure this policy setting, real-time protection is turned on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off the real-time monitoring service. | +| 1 (Default) | Allowed. Turns on and runs the real-time monitoring service. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRealtimeMonitoring | +| Friendly Name | Turn off real-time protection | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableRealtimeMonitoring | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowScanningNetworkFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowScanningNetworkFiles +``` + + + +This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. + +If you enable this setting, network files will be scanned. + +If you disable or do not configure this setting, network files will not be scanned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. Turns off scanning of network files. | +| 1 | Allowed. Scans network files. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableScanningNetworkFiles | +| Friendly Name | Scan network files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableScanningNetworkFiles | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowScriptScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowScriptScanning +``` + + + Allows or disallows Windows Defender Script Scanning functionality. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
- - -**Defender/AllowUserUIAccess** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed. - - - -ADMX Info: -- GP Friendly name: *Enable headless UI mode* -- GP name: *UX_Configuration_UILockdown* -- GP path: *Windows Components/Microsoft Defender Antivirus/Client Interface* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Prevents users from accessing UI. -- 1 (default) – Allowed. Lets users access UI. - - - - -
- - -**Defender/AttackSurfaceReductionOnlyExclusions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". - -Value type is string. - - - -ADMX Info: -- GP Friendly name: *Exclude files and paths from Attack Surface Reduction Rules* -- GP name: *ExploitGuard_ASR_ASROnlyExclusions* -- GP element: *ExploitGuard_ASR_ASROnlyExclusions* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
- - -**Defender/AttackSurfaceReductionRules** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This policy setting enables setting the state (Block/Audit/Off) for each attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. - -For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). - -Value type is string. - - - -ADMX Info: -- GP Friendly name: *Configure Attack Surface Reduction rules* -- GP name: *ExploitGuard_ASR_Rules* -- GP element: *ExploitGuard_ASR_Rules* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
- - -**Defender/AvgCPULoadFactor** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Represents the average CPU load factor for the Windows Defender scan (in percent). - -The default value is 50. - - - -ADMX Info: -- GP Friendly name: *Specify the maximum percentage of CPU utilization during a scan* -- GP name: *Scan_AvgCPULoadFactor* -- GP element: *Scan_AvgCPULoadFactor* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–100 - - - - -
- - -**Defender/CheckForSignaturesBeforeRunningScan** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. - -This setting applies to scheduled scans and the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface. - -If you enable this setting, a check for new definitions will occur before running a scan. - -If you disable this setting or don't configure this setting, the scan will start using the existing definitions. - -Supported values: - -- 0 (default) - Disabled -- 1 - Enabled - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/CheckForSignaturesBeforeRunningScan - - - -ADMX Info: -- GP Friendly name: *Check for the latest virus and spyware definitions before running a scheduled scan* -- GP name: *CheckForSignaturesBeforeRunningScan* -- GP element: *CheckForSignaturesBeforeRunningScan* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
- - -**Defender/CloudBlockLevel** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. - -If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. - -For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site. - -> [!NOTE] -> This feature requires the "Join Microsoft MAPS" setting enabled in order to function. - - - -ADMX Info: -- GP Friendly name: *Select cloud protection level* -- GP name: *MpEngine_MpCloudBlockLevel* -- GP element: *MpCloudBlockLevel* -- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0x0 - Default windows defender blocking level -- 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)       -- 0x4 - High+ blocking level – aggressively block unknowns and apply more protection measures (may impact  client performance) -- 0x6 - Zero tolerance blocking level – block all unknown executables - - - - -
- - -**Defender/CloudExtendedTimeout** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. - -The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an extra 50 seconds. - -For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. - -> [!NOTE] -> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required". - - - -ADMX Info: -- GP Friendly name: *Configure extended cloud check* -- GP name: *MpEngine_MpBafsExtendedTimeout* -- GP element: *MpBafsExtendedTimeout* -- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
- - -**Defender/ControlledFolderAccessAllowedApplications** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. - -Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it won't be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. - - - -ADMX Info: -- GP Friendly name: *Configure allowed applications* -- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* -- GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
- - -**Defender/ControlledFolderAccessProtectedFolders** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. - -This policy setting allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can't be changed. Value type is string. Use the | as the substring separator. - - - -ADMX Info: -- GP Friendly name: *Configure protected folders* -- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* -- GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
- - -**Defender/DaysToRetainCleanedMalware** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Time period (in days) that quarantine items will be stored on the system. - -The default value is 0, which keeps items in quarantine, and doesn't automatically remove them. - - - -ADMX Info: -- GP Friendly name: *Configure removal of items from Quarantine folder* -- GP name: *Quarantine_PurgeItemsAfterDelay* -- GP element: *Quarantine_PurgeItemsAfterDelay* -- GP path: *Windows Components/Microsoft Defender Antivirus/Quarantine* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–90 - - - - -
- - -**Defender/DisableCatchupFullScan** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowUserUIAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowUserUIAccess +``` + + + +This policy setting allows you to configure whether or not to display AM UI to the users. +If you enable this setting AM UI won't be available to users. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Prevents users from accessing UI. | +| 1 (Default) | Allowed. Lets users access UI. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | UX_Configuration_UILockdown | +| Friendly Name | Enable headless UI mode | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AttackSurfaceReductionOnlyExclusions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +``` + + + +Exclude files and paths from Attack Surface Reduction (ASR) rules. + +Enabled: +Specify the folders or files and resources that should be excluded from ASR rules in the Options section. +Enter each rule on a new line as a name-value pair: +- Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder +- Value column: Enter ""0"" for each item + +Disabled: +No exclusions will be applied to the ASR rules. + +Not configured: +Same as Disabled. + +You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ASR_ASROnlyExclusions | +| Friendly Name | Exclude files and paths from Attack Surface Reduction Rules | +| Element Name | Exclusions from ASR rules | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | +| Registry Value Name | ExploitGuard_ASR_ASROnlyExclusions | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AttackSurfaceReductionRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +``` + + + +Set the state for each Attack Surface Reduction (ASR) rule. + +After enabling this setting, you can set each rule to the following in the Options section: +- Block: the rule will be applied +- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) +- Off: the rule will not be applied +- Not Configured: the rule is enabled with default values +- Warn: the rule will be applied and the end-user will have the option to bypass the block + +Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured. + +Enabled: +Specify the state for each ASR rule under the Options section for this setting. +Enter each rule on a new line as a name-value pair: +- Name column: Enter a valid ASR rule ID +- Value column: Enter the status ID that relates to state you want to specify for the associated rule + +The following status IDs are permitted under the value column: +- 1 (Block) +- 0 (Off) +- 2 (Audit) +- 5 (Not Configured) +- 6 (Warn) + + +Example: +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 + +Disabled: +No ASR rules will be configured. + +Not configured: +Same as Disabled. + +You can exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ASR_Rules | +| Friendly Name | Configure Attack Surface Reduction rules | +| Element Name | Set the state for each ASR rule | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | +| Registry Value Name | ExploitGuard_ASR_Rules | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AvgCPULoadFactor + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AvgCPULoadFactor +``` + + + +This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50. + +If you enable this setting, CPU utilization will not exceed the percentage specified. + +If you disable or do not configure this setting, CPU utilization will not exceed the default value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 50 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_AvgCPULoadFactor | +| Friendly Name | Specify the maximum percentage of CPU utilization during a scan | +| Element Name | Specify the maximum percentage of CPU utilization during a scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | AvgCPULoadFactor | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## CheckForSignaturesBeforeRunningScan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/CheckForSignaturesBeforeRunningScan +``` + + + +This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before running a scan. + +This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or to the ones started from the command line using "mpcmdrun -Scan". + +If you enable this setting, a check for new security intelligence will occur before running a scan. + +If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CheckForSignaturesBeforeRunningScan | +| Friendly Name | Check for the latest virus and spyware security intelligence before running a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | CheckForSignaturesBeforeRunningScan | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## CloudBlockLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/CloudBlockLevel +``` + + + +This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. NoteThis feature requires the Join Microsoft MAPS setting enabled in order to function. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | NotConfigured | +| 2 | High | +| 4 | HighPlus | +| 6 | ZeroTolerance | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MpCloudBlockLevel | +| Friendly Name | Select cloud protection level | +| Element Name | Select cloud blocking level | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MpEngine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | +| Registry Value Name | MpCloudBlockLevel | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## CloudExtendedTimeout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/CloudExtendedTimeout +``` + + + +This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. NoteThis feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-50]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MpBafsExtendedTimeout | +| Friendly Name | Configure extended cloud check | +| Element Name | Specify the extended cloud check time in seconds | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MpEngine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | +| Registry Value Name | MpBafsExtendedTimeout | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ControlledFolderAccessAllowedApplications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessAllowedApplications +``` + + + +Add additional applications that should be considered "trusted" by controlled folder access. + +These applications are allowed to modify or delete files in controlled folder access folders. + +Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. + +Enabled: +Specify additional allowed applications in the Options section.. + +Disabled: +No additional applications will be added to the trusted list. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | +| Friendly Name | Configure allowed applications | +| Element Name | Enter the applications that should be trusted | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ControlledFolderAccessProtectedFolders + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessProtectedFolders +``` + + + +Specify additional folders that should be guarded by the Controlled folder access feature. + +Files in these folders cannot be modified or deleted by untrusted applications. + +Default system folders are automatically protected. You can configure this setting to add additional folders. +The list of default system folders that are protected is shown in Windows Security. + +Enabled: +Specify additional folders that should be protected in the Options section. + +Disabled: +No additional folders will be protected. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | +| Friendly Name | Configure protected folders | +| Element Name | Enter the folders that should be guarded | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## DaysToRetainCleanedMalware + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/DaysToRetainCleanedMalware +``` + + + +This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. + +If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. + +If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-90]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Quarantine_PurgeItemsAfterDelay | +| Friendly Name | Configure removal of items from Quarantine folder | +| Element Name | Configure removal of items from Quarantine folder | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Quarantine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine | +| Registry Value Name | PurgeItemsAfterDelay | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## DisableCatchupFullScan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan +``` + + + This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run. +If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. -If you disable or don't configure this setting, catch-up scans for scheduled full scans will be turned off. +If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. + -Supported values: + + + -- 1 - Disabled (default) -- 0 - Enabled + +**Description framework properties**: -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -ADMX Info: -- GP Friendly name: *Turn on catch-up full scan* -- GP name: *Scan_DisableCatchupFullScan* -- GP element: *Scan_DisableCatchupFullScan* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Enabled | +| 1 (Default) | Disabled | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | Scan_DisableCatchupFullScan | +| Friendly Name | Turn on catch-up full scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableCatchupFullScan | +| ADMX File Name | WindowsDefender.admx | + - - + + + -
+ - -**Defender/DisableCatchupQuickScan** + +## DisableCatchupQuickScan - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan +``` + + + +This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. + +If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enabled | +| 1 (Default) | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableCatchupQuickScan | +| Friendly Name | Turn on catch-up quick scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableCatchupQuickScan | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## EnableControlledFolderAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/EnableControlledFolderAccess +``` + + + +Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to: +- Modify or delete files in protected folders, such as the Documents folder +- Write to disk sectors + +You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders. + +Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. +Default system folders are automatically protected, but you can add folders in the Configure protected folders GP setting. + +Block: +The following will be blocked: +- Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors +The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. - -If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run. - -If you disable or don't configure this setting, catch-up scans for scheduled quick scans will be turned off. - -Supported values: - -- 1 - Disabled (default) -- 0 - Enabled - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan - - - -ADMX Info: -- GP Friendly name: *Turn on catch-up quick scan* -- GP name: *Scan_DisableCatchupQuickScan* -- GP element: *Scan_DisableCatchupQuickScan* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
- - -**Defender/EnableControlledFolderAccess** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Disabled: +The following will not be blocked and will be allowed to run: +- Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors +These attempts will not be recorded in the Windows event log. - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. - -This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. - - - -ADMX Info: -- GP Friendly name: *Configure Controlled folder access* -- GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* -- GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) - Disabled -- 1 - Enabled -- 2 - Audit Mode - - - - -
- - -**Defender/EnableLowCPUPriority** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Audit Mode: +The following will not be blocked and will be allowed to run: +- Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors +The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124. - -
+Block disk modification only: +The following will be blocked: +- Attempts by untrusted apps to write to disk sectors +The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +The following will not be blocked and will be allowed to run: +- Attempts by untrusted apps to modify or delete files in protected folders +These attempts will not be recorded in the Windows event log. -> [!div class = "checklist"] -> * Device -
+Audit disk modification only: +The following will not be blocked and will be allowed to run: +- Attempts by untrusted apps to write to disk sectors +- Attempts by untrusted apps to modify or delete files in protected folders +Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). +Attempts to modify or delete files in protected folders will not be recorded. - - +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | +| 2 | Audit Mode | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess | +| Friendly Name | Configure Controlled folder access | +| Element Name | Configure the guard my folders feature | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | EnableControlledFolderAccess | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## EnableLowCPUPriority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/EnableLowCPUPriority +``` + + + This policy setting allows you to enable or disable low CPU priority for scheduled scans. If you enable this setting, low CPU priority will be used during scheduled scans. -If you disable or don't configure this setting, no changes will be made to CPU priority for scheduled scans. - -Supported values: - -- 0 - Disabled (default) -- 1 - Enabled - - - -ADMX Info: -- GP Friendly name: *Configure low CPU priority for scheduled scans* -- GP name: *Scan_LowCpuPriority* -- GP element: *Scan_LowCpuPriority* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
- - -**Defender/EnableNetworkProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This policy allows you to turn on network protection (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This protection includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. - -If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. -If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You'll be able to see this activity in Windows Defender Security Center. -If you enable this policy with the ""Audit"" option, users/apps won't be blocked from connecting to dangerous domains. However, you'll still see this activity in Windows Defender Security Center. -If you disable this policy, users/apps won't be blocked from connecting to dangerous domains. You'll not see any network activity in Windows Defender Security Center. -If you don't configure this policy, network blocking will be disabled by default. - - - -ADMX Info: -- GP Friendly name: *Prevent users and apps from accessing dangerous websites* -- GP name: *ExploitGuard_EnableNetworkProtection* -- GP element: *ExploitGuard_EnableNetworkProtection* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Network Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) - Disabled -- 1 - Enabled (block mode) -- 2 - Enabled (audit mode) - - - - -
- - -**Defender/ExcludedExtensions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". - - - -ADMX Info: -- GP Friendly name: *Path Exclusions* -- GP name: *Exclusions_Paths* -- GP element: *Exclusions_PathsList* -- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
- - -**Defender/ExcludedPaths** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1". - - - -ADMX Info: -- GP Friendly name: *Extension Exclusions* -- GP name: *Exclusions_Extensions* -- GP element: *Exclusions_ExtensionsList* -- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
- - -**Defender/ExcludedProcesses** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows an administrator to specify a list of files opened by processes to ignore during a scan. - -> [!IMPORTANT] -> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path. - -Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". - - - -ADMX Info: -- GP Friendly name: *Process Exclusions* -- GP name: *Exclusions_Processes* -- GP element: *Exclusions_ProcessesList* -- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
- - -**Defender/PUAProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. - -> [!NOTE] -> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). - - - -ADMX Info: -- GP Friendly name: *Configure detection for potentially unwanted applications* -- GP name: *Root_PUAProtection* -- GP element: *Root_PUAProtection* -- GP path: *Windows Components/Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – PUA Protection off. Windows Defender won't protect against potentially unwanted applications. -- 1 – PUA Protection on. Detected items are blocked. They'll show in history along with other threats. -- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. - - - - -
- - -**Defender/RealTimeScanDirection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Controls which sets of files should be monitored. - -> [!NOTE] -> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files. - - - -ADMX Info: -- GP Friendly name: *Configure monitoring for incoming and outgoing file and program activity* -- GP name: *RealtimeProtection_RealtimeScanDirection* -- GP element: *RealtimeProtection_RealtimeScanDirection* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – Monitor all files (bi-directional). -- 1 – Monitor incoming files. -- 2 – Monitor outgoing files. - - - - -
- - -**Defender/ScanParameter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Selects whether to perform a quick scan or full scan. - - - -ADMX Info: -- GP Friendly name: *Specify the scan type to use for a scheduled scan* -- GP name: *Scan_ScanParameters* -- GP element: *Scan_ScanParameters* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 1 (default) – Quick scan -- 2 – Full scan - - - - -
- - -**Defender/ScheduleQuickScanTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Selects the time of day that the Windows Defender quick scan should run. The Windows Defender quick scan runs daily if a time is specified. - - - -For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. - -The default value is 120 - - - -ADMX Info: -- GP Friendly name: *Specify the time for a daily quick scan* -- GP name: *Scan_ScheduleQuickScantime* -- GP element: *Scan_ScheduleQuickScantime* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–1380 - - - - -
- - -**Defender/ScheduleScanDay** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Selects the day that the Windows Defender scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - - - -ADMX Info: -- GP Friendly name: *Specify the day of the week to run a scheduled scan* -- GP name: *Scan_ScheduleDay* -- GP element: *Scan_ScheduleDay* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday -- 8 – No scheduled scan - - - - -
- - -**Defender/ScheduleScanTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Selects the time of day that the Windows Defender scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - -For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. - -The default value is 120. - - - -ADMX Info: -- GP Friendly name: *Specify the time of day to run a scheduled scan* -- GP name: *Scan_ScheduleTime* -- GP element: *Scan_ScheduleTime* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–1380. - - - - -
- - -**Defender/SecurityIntelligenceLocation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - +If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LowCpuPriority | +| Friendly Name | Configure low CPU priority for scheduled scans | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LowCpuPriority | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## EnableNetworkProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection +``` + + + +Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. + +Enabled: +Specify the mode in the Options section: +-Block: Users and applications will not be able to access dangerous domains +-Audit Mode: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs. + +Disabled: +Users and applications will not be blocked from connecting to dangerous domains. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled (block mode) | +| 2 | Enabled (audit mode) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_EnableNetworkProtection | +| Friendly Name | Prevent users and apps from accessing dangerous websites | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection | +| Registry Value Name | EnableNetworkProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ExcludedExtensions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedExtensions +``` + + + +Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Exclusions_Extensions | +| Friendly Name | Extension Exclusions | +| Element Name | Extension Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Extensions | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ExcludedPaths + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedPaths +``` + + + +Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Exclusions_Paths | +| Friendly Name | Path Exclusions | +| Element Name | Path Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Paths | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ExcludedProcesses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedProcesses +``` + + + +Allows an administrator to specify a list of files opened by processes to ignore during a scan. ImportantThe process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Exclusions_Processes | +| Friendly Name | Process Exclusions | +| Element Name | Process Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Processes | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## PUAProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/PUAProtection +``` + + + +Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. + +Enabled: +Specify the mode in the Options section: +-Block: Potentially unwanted software will be blocked. +-Audit Mode: Potentially unwanted software will not be blocked, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs. + +Disabled: +Potentially unwanted software will not be blocked. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | PUA Protection off. Windows Defender will not protect against potentially unwanted applications. | +| 1 | PUA Protection on. Detected items are blocked. They will show in history along with other threats. | +| 2 | Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Root_PUAProtection | +| Friendly Name | Configure detection for potentially unwanted applications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | PUAProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealTimeScanDirection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/RealTimeScanDirection +``` + + + +This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. + +Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. + +The options for this setting are mutually exclusive: +0 = Scan incoming and outgoing files (default) +1 = Scan incoming files only +2 = Scan outgoing files only + +Any other value, or if the value does not exist, resolves to the default (0). + +If you enable this setting, the specified type of monitoring will be enabled. + +If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Monitor all files (bi-directional). | +| 1 | Monitor incoming files. | +| 2 | Monitor outgoing files. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_RealtimeScanDirection | +| Friendly Name | Configure monitoring for incoming and outgoing file and program activity | +| Element Name | Configure monitoring for incoming and outgoing file and program activity | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | RealtimeScanDirection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ScanParameter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ScanParameter +``` + + + +This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: +1 = Quick Scan (default) +2 = Full Scan + +If you enable this setting, the scan type will be set to the specified value. + +If you disable or do not configure this setting, the default scan type will used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Quick scan | +| 2 | Full scan | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScanParameters | +| Friendly Name | Specify the scan type to use for a scheduled scan | +| Element Name | Specify the scan type to use for a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScanParameters | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ScheduleQuickScanTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ScheduleQuickScanTime +``` + + + +This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a daily quick scan will run at the time of day specified. + +If you disable or do not configure this setting, daily quick scan controlled by this config will not be run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1380]` | +| Default Value | 120 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleQuickScantime | +| Friendly Name | Specify the time for a daily quick scan | +| Element Name | Specify the time for a daily quick scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleQuickScanTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ScheduleScanDay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ScheduleScanDay +``` + + + +This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: +(0x0) Every Day +(0x1) Sunday +(0x2) Monday +(0x3) Tuesday +(0x4) Wednesday +(0x5) Thursday +(0x6) Friday +(0x7) Saturday +(0x8) Never (default) + +If you enable this setting, a scheduled scan will run at the frequency specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default frequency. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Every day | +| 1 | Sunday | +| 2 | Monday | +| 3 | Tuesday | +| 4 | Wednesday | +| 5 | Thursday | +| 6 | Friday | +| 7 | Saturday | +| 8 | No scheduled scan | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleDay | +| Friendly Name | Specify the day of the week to run a scheduled scan | +| Element Name | Specify the day of the week to run a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleDay | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ScheduleScanTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ScheduleScanTime +``` + + + +This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a scheduled scan will run at the time of day specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1380]` | +| Default Value | 120 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleTime | +| Friendly Name | Specify the time of day to run a scheduled scan | +| Element Name | Specify the time of day to run a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SecurityIntelligenceLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SecurityIntelligenceLocation +``` + + + This policy setting allows you to define the security intelligence location for VDI-configured computers. -If you disable or don't configure this setting, security intelligence will be referred from the default local source. - - - -ADMX Info: -- GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments* -- GP name: *SecurityIntelligenceLocation* -- GP element: *SecurityIntelligenceLocation* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender* -- GP ADMX file name: *WindowsDefender.admx* - - - - -- Empty string - no policy is set -- Non-empty string - the policy is set and security intelligence is gathered from the location. - - - - -
- - -**Defender/SignatureUpdateFallbackOrder** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. - -Possible values are: - -- InternalDefinitionUpdateServer -- MicrosoftUpdateServer -- MMPC -- FileShares - -For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC - -If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. - -If you disable or don't configure this setting, definition update sources will be contacted in a default order. - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder - - - -ADMX Info: -- GP Friendly name: *Define the order of sources for downloading definition updates* -- GP name: *SignatureUpdate_FallbackOrder* -- GP element: *SignatureUpdate_FallbackOrder* -- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
- - -**Defender/SignatureUpdateFileSharesSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. - -For example: \\unc1\Signatures | \\unc2\Signatures - -The list is empty by default. - -If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. - -If you disable or don't configure this setting, the list will remain empty by default and no sources will be contacted. - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources - - - -ADMX Info: -- GP Friendly name: *Define file shares for downloading definition updates* -- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* -- GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources* -- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
- - -**Defender/SignatureUpdateInterval** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. - -A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day. - -The default value is 8. - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateInterval - - - -ADMX Info: -- GP Friendly name: *Specify the interval to check for definition updates* -- GP name: *SignatureUpdate_SignatureUpdateInterval* -- GP element: *SignatureUpdate_SignatureUpdateInterval* -- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–24. - - - - -
- - -**Defender/SubmitSamplesConsent** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data. - - - -ADMX Info: -- GP Friendly name: *Send file samples when further analysis is required* -- GP name: *SubmitSamplesConsent* -- GP element: *SubmitSamplesConsent* -- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Always prompt. -- 1 (default) – Send safe samples automatically. -- 2 – Never send. -- 3 – Send all samples automatically. - - - - -
- - -**Defender/ThreatSeverityDefaultAction** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. - -This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format "*threat level*=*action*|*threat level*=*action*". For example, "1=6|2=2|4=10|5=3". - -The following list shows the supported values for threat severity levels: - -- 1 – Low severity threats -- 2 – Moderate severity threats -- 4 – High severity threats -- 5 – Severe threats - -The following list shows the supported values for possible actions: - -- 1 – Clean. Service tries to recover files and try to disinfect. -- 2 – Quarantine. Moves files to quarantine. -- 3 – Remove. Removes files from system. -- 6 – Allow. Allows file/does none of the above actions. -- 8 – User defined. Requires user to make a decision on which action to take. -- 10 – Block. Blocks file execution. - - - -ADMX Info: -- GP Friendly name: *Specify threat alert levels at which default action should not be taken when detected* -- GP name: *Threats_ThreatSeverityDefaultAction* -- GP element: *Threats_ThreatSeverityDefaultActionList* -- GP path: *Windows Components/Microsoft Defender Antivirus/Threats* -- GP ADMX file name: *WindowsDefender.admx* - - - -
- - - - - -## Related topics +If you disable or do not configure this setting, security intelligence will be referred from the default local source. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SharedSignaturesLocation | +| Friendly Name | Define security intelligence location for VDI clients. | +| Element Name | Define file share for downloading security intelligence updates in virtual environments | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdateFallbackOrder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder +``` + + + +This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares” + +For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } + +If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_FallbackOrder | +| Friendly Name | Define the order of sources for downloading security intelligence updates | +| Element Name | Define the order of sources for downloading security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdateFileSharesSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources +``` + + + +This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. + +If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DefinitionUpdateFileSharesSources | +| Friendly Name | Define file shares for downloading security intelligence updates | +| Element Name | Define file shares for downloading security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdateInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SignatureUpdateInterval +``` + + + +This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). + +If you enable this setting, checks for security intelligence updates will occur at the interval specified. + +If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-24]` | +| Default Value | 8 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SignatureUpdateInterval | +| Friendly Name | Specify the interval to check for security intelligence updates | +| Element Name | Specify the interval to check for security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | SignatureUpdateInterval | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SubmitSamplesConsent + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SubmitSamplesConsent +``` + + + +This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set. + +Possible options are: +(0x0) Always prompt +(0x1) Send safe samples automatically +(0x2) Never send +(0x3) Send all samples automatically + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Always prompt. | +| 1 (Default) | Send safe samples automatically. | +| 2 | Never send. | +| 3 | Send all samples automatically. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SubmitSamplesConsent | +| Friendly Name | Send file samples when further analysis is required | +| Element Name | Send file samples when further analysis is required | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | SubmitSamplesConsent | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ThreatSeverityDefaultAction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ThreatSeverityDefaultAction +``` + + + +Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 – Low severity threats2 – Moderate severity threats4 – High severity threats5 – Severe threatsThe following list shows the supported values for possible actions:1 – Clean. Service tries to recover files and try to disinfect. 2 – Quarantine. Moves files to quarantine. 3 – Remove. Removes files from system. 6 – Allow. Allows file/does none of the above actions. 8 – User defined. Requires user to make a decision on which action to take. 10 – Block. Blocks file execution. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Threats_ThreatSeverityDefaultAction | +| Friendly Name | Specify threat alert levels at which default action should not be taken when detected | +| Element Name | Specify threat alert levels at which default action should not be taken when detected | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Threats | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats | +| Registry Value Name | Threats_ThreatSeverityDefaultAction | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 441350957a..828657eada 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1457,9 +1457,11 @@ ADMX Info: Set this policy to restrict peer selection via selected option. -Options available are: 1=Subnet mask (more options will be added in a future release). +In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently, the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore it means that there is no peering between subnets. The default value in Windows 11 is set to "Local Peer Discovery". -Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2). +If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). + +The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. @@ -1474,7 +1476,9 @@ ADMX Info: The following list shows the supported values: -- 1 - Subnet mask. +- 0 - NAT +- 1 - Subnet mask +- 2 - Local Peer Discovery diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 8475dbc0d9..ee0b9dac66 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4426,7 +4426,7 @@ The following list shows the supported values: ADMX Info: - GP Friendly name: *Enable extended hot keys in Internet Explorer mode* - GP name: *EnableExtendedIEModeHotkeys* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP path: *Windows Components/Internet Explorer/Main* - GP ADMX file name: *inetres.admx* diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 13fe288906..693f130feb 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -113,7 +113,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This pol -List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. +List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. The delimiter for the URLs is "\uF000" character. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -310,4 +310,4 @@ The value is an int 1-1440 that specifies the number of minutes the session is i ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 32217ff75b..10e2076e07 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -104,11 +104,11 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura Example 1: Azure Active Directory focused. -The following example updates the built-in administrators group with Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. +The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. ```xml - + @@ -119,12 +119,12 @@ The following example updates the built-in administrators group with Azure AD ac Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account. > [!NOTE] -> When using ‘R’ replace option to configure the built-in ‘Administrators’ group. It is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group. +> When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. Example: ```xml - + @@ -134,11 +134,11 @@ Example: Example 3: Update action for adding and removing group members on a hybrid joined machine. -The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. +The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. ```xml - + diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index 69fb84b6e9..c7e71ee0cf 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -1,211 +1,210 @@ --- -title: Policy CSP - MSSLegacy -description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable. +title: MSSLegacy Policy CSP +description: Learn more about the MSSLegacy Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - MSSLegacy -
- - -## MSSLegacy policies - -
-
- MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes -
-
- MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers -
-
- MSSLegacy/IPSourceRoutingProtectionLevel -
-
- MSSLegacy/IPv6SourceRoutingProtectionLevel -
-
- > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
+ + + - -**MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes** + +## AllowICMPRedirectsToOverrideOSPFGeneratedRoutes - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes +``` + - -
+ + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Allow ICMP redirects to override OSPF generated routes. + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + + + - + + + - -ADMX Info: -- GP name: *Pol_MSS_EnableICMPRedirect* -- GP ADMX file name: *mss-legacy.admx* + - - + +## AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -**MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers** + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers +``` + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Allow the computer to ignore NetBIOS name release requests except from WINS servers. + - -
+ +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + + + -
+ + + - - + - + +## IPSourceRoutingProtectionLevel + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -ADMX Info: -- GP name: *Pol_MSS_NoNameReleaseOnDemand* -- GP ADMX file name: *mss-legacy.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPSourceRoutingProtectionLevel +``` + - - + + + -
+ + +IP source routing protection level (protects against packet spoofing). + - -**MSSLegacy/IPSourceRoutingProtectionLevel** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## IPv6SourceRoutingProtectionLevel -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel +``` + - + + + - -ADMX Info: -- GP name: *Pol_MSS_DisableIPSourceRouting* -- GP ADMX file name: *mss-legacy.admx* + + +IPv6 source routing protection level (protects against packet spoofing). + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**MSSLegacy/IPv6SourceRoutingProtectionLevel** + + + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device +## Related articles -
- - - - - - - -ADMX Info: -- GP name: *Pol_MSS_DisableIPSourceRoutingIPv6* -- GP ADMX file name: *mss-legacy.admx* - - - -
- - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md new file mode 100644 index 0000000000..3be0b76457 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-settingssync.md @@ -0,0 +1,96 @@ +--- +title: SettingsSync Policy CSP +description: Learn more about the SettingsSync Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - SettingsSync + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## DisableAccessibilitySettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SettingsSync/DisableAccessibilitySettingSync +``` + + + +Prevent the "accessibility" group from syncing to and from this PC. This turns off and disables the "accessibility" group on the "Windows backup" settings page in PC settings. + +If you enable this policy setting, the "accessibility", group will not be synced. + +Use the option "Allow users to turn accessibility syncing on" so that syncing is turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "accessibility" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAccessibilitySettingSync | +| Friendly Name | Do not sync accessibility settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableAccessibilitySettingSync | +| ADMX File Name | SettingSync.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md new file mode 100644 index 0000000000..9b2eeee68c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-stickers.md @@ -0,0 +1,79 @@ +--- +title: Stickers Policy CSP +description: Learn more about the Stickers Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/02/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - Stickers + + + + + + +## EnableStickers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Stickers/EnableStickers +``` + + + +This policy setting allows you to control whether you want to allow stickers to be edited and placed on Desktop + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md new file mode 100644 index 0000000000..0ab6c560aa --- /dev/null +++ b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md @@ -0,0 +1,80 @@ +--- +title: TenantDefinedTelemetry Policy CSP +description: Learn more about the TenantDefinedTelemetry Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/02/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - TenantDefinedTelemetry + + + + + + +## CustomTelemetryId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TenantDefinedTelemetry/CustomTelemetryId +``` + + + +This policy is used to let mission control what type of Edition we are currently in. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Base | +| 1 | Education | +| 2 | Commercial | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md new file mode 100644 index 0000000000..936808277a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -0,0 +1,98 @@ +--- +title: TenantRestrictions Policy CSP +description: Learn more about the TenantRestrictions Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - TenantRestrictions + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## ConfigureTenantRestrictions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.320] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TenantRestrictions/ConfigureTenantRestrictions +``` + + + +This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory. + +When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant. + +Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details. + +https://go.microsoft.com/fwlink/?linkid=2148762 + +Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information. +For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230 + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | trv2_payload | +| Friendly Name | Cloud Policy Details | +| Location | Computer Configuration | +| Path | Windows Components > Tenant Restrictions | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload | +| ADMX File Name | TenantRestrictions.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 7af2d1affc..33e709f97a 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,267 +1,264 @@ --- -title: Policy CSP - WindowsLogon -description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts. +title: WindowsLogon Policy CSP +description: Learn more about the WindowsLogon Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsLogon -
- - -## WindowsLogon policies - -
-
- WindowsLogon/AllowAutomaticRestartSignOn -
-
- WindowsLogon/ConfigAutomaticRestartSignOn -
-
- WindowsLogon/DisableLockScreenAppNotifications -
-
- WindowsLogon/DontDisplayNetworkSelectionUI -
-
- WindowsLogon/EnableFirstLogonAnimation -
-
- WindowsLogon/EnableMPRNotifications -
-
- WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers -
-
- WindowsLogon/HideFastUserSwitching -
-
- > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
+ + + - -**WindowsLogon/AllowAutomaticRestartSignOn** + +## AllowAutomaticRestartSignOn - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn +``` + - -
+ +This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +This only occurs if the last interactive user didn’t sign out before the restart or shutdown.​ -> [!div class = "checklist"] -> * Device +If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.​ -
+If you don’t configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​ - - -This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot. +After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​. -This scenario occurs only if the last interactive user didn't sign out before the restart or shutdown.​ +If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. + -If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns.​ + + + -If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​ + +**Description framework properties**: -After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, the device doesn't configure automatic sign in. The user’s lock screen apps aren't restarted after the system restarts. + +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AutomaticRestartSignOnDescription | +| Friendly Name | Sign-in and lock last interactive user automatically after a restart | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableAutomaticRestartSignOn | +| ADMX File Name | WinLogon.admx | + - -ADMX Info: -- GP Friendly name: *Sign-in and lock last interactive user automatically after a restart* -- GP name: *AutomaticRestartSignOn* -- GP path: *Windows Components/Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* + + + - - + - - + +## ConfigAutomaticRestartSignOn - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/ConfigAutomaticRestartSignOn +``` + -
- - -**WindowsLogon/ConfigAutomaticRestartSignOn** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting controls the configuration under which an automatic restart, sign in, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign in doesn't occur and this policy need not be configured. + +This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy, then automatic sign on will not occur and this policy does not need to be configured. If you enable this policy setting, you can choose one of the following two options: -- Enabled if BitLocker is on and not suspended: Specifies that automatic sign in and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +1. “Enabled if BitLocker is on and not suspended” specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: - - The device doesn't have TPM 2.0 and PCR7 - - The device doesn't use a TPM-only protector -- Always Enabled: Specifies that automatic sign in happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign in should only be run under this condition if you're confident that the configured device is in a secure physical location. +- The device doesn’t have TPM 2.0 and PCR7, or +- The device doesn’t use a TPM-only protector +2. “Always Enabled” specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. -If you disable or don't configure this setting, automatic sign in defaults to the “Enabled if BitLocker is on and not suspended” behavior. +If you disable or don’t configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended” behavior. + - + + + - -ADMX Info: -- GP Friendly name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot* -- GP name: *ConfigAutomaticRestartSignOn* -- GP path: *Windows Components/Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | ConfigAutomaticRestartSignOnDescription | +| Friendly Name | Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + - - + + + -
+ - -**WindowsLogon/DisableLockScreenAppNotifications** + +## DisableLockScreenAppNotifications - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DisableLockScreenAppNotifications +``` + - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. -If you disable or don't configure this policy setting, users can choose which apps display notifications on the lock screen. +If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off app notifications on the lock screen* -- GP name: *DisableLockScreenAppNotifications* -- GP path: *System/Logon* -- GP ADMX file name: *logon.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
+ +**ADMX mapping**: - -**WindowsLogon/DontDisplayNetworkSelectionUI** +| Name | Value | +|:--|:--| +| Name | DisableLockScreenAppNotifications | +| Friendly Name | Turn off app notifications on the lock screen | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableLockScreenAppNotifications | +| ADMX File Name | Logon.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## DontDisplayNetworkSelectionUI - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI +``` + -
+ +This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. - - -This policy setting allows you to control whether anyone can interact with available networks UI on the sign-in screen. - -If you enable this policy setting, the PC's network connectivity state can't be changed without signing into Windows. +If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DontDisplayNetworkSelectionUI | +| Friendly Name | Do not display network selection UI | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DontDisplayNetworkSelectionUI | +| ADMX File Name | Logon.admx | + + + + +**Example**: Here's an example to enable this policy: @@ -287,236 +284,314 @@ Here's an example to enable this policy: ``` + - + - -ADMX Info: -- GP Friendly name: *Do not display network selection UI* -- GP name: *DontDisplayNetworkSelectionUI* -- GP path: *System/Logon* -- GP ADMX file name: *logon.admx* + +## EnableFirstLogonAnimation - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation +``` + - -**WindowsLogon/EnableFirstLogonAnimation** + +This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. - -The table below shows the applicability of Windows: +If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. - -
+If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. + -> [!div class = "checklist"] -> * Device + + + -
+ +**Description framework properties**: - - -This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This view applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation. + +**Allowed values**: -If you disable this policy setting, users don't see the animation and Microsoft account users don't see the opt-in prompt for services. +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + -If you don't configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting isn't configured, users new to this computer don't see the animation. + +**Group policy mapping**: -> [!NOTE] -> The first sign-in animation isn't displayed on Server, so this policy has no effect. +| Name | Value | +|:--|:--| +| Name | EnableFirstLogonAnimation | +| Friendly Name | Show first sign-in animation | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | EnableFirstLogonAnimation | +| ADMX File Name | Logon.admx | + - - -ADMX Info: -- GP Friendly name: *Show first sign-in animation* -- GP name: *EnableFirstLogonAnimation* -- GP path: *System/Logon* -- GP ADMX file name: *Logon.admx* + + + - - -Supported values: -- 0 - disabled -- 1 - enabled - - + - - + +## EnableMPRNotifications - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableMPRNotifications +``` + - -**WindowsLogon/EnableMPRNotifications** + +This policy controls the configuration under which winlogon sends MPR notifications in the system. - -The table below shows the applicability of Windows: +If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this setting, winlogon does not send MPR notifications. + - -
+ + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
+ +**ADMX mapping**: - - -This policy allows winlogon to send MPR notifications in the system if a credential manager is configured. +| Name | Value | +|:--|:--| +| Name | EnableMPRNotifications | +| Friendly Name | Enable MPR notifications for the system | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | EnableMPR | +| ADMX File Name | WinLogon.admx | + -If you disable (0), MPR notifications will not be sent by winlogon. + + + -If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon. + - - -Supported values: + +## EnumerateLocalUsersOnDomainJoinedComputers -- 0 - disabled -- 1 (default)- enabled - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers +``` + -
- - -**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. -If you disable or don't configure this policy setting, the Logon UI won't enumerate local users on domain-joined computers. +If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. + - + + + - -ADMX Info: -- GP Friendly name: *Enumerate local users on domain-joined computers* -- GP name: *EnumerateLocalUsers* -- GP path: *System/Logon* -- GP ADMX file name: *logon.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
+ +**ADMX mapping**: - -**WindowsLogon/HideFastUserSwitching** +| Name | Value | +|:--|:--| +| Name | EnumerateLocalUsers | +| Friendly Name | Enumerate local users on domain-joined computers | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnumerateLocalUsers | +| ADMX File Name | Logon.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## HideFastUserSwitching - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching +``` + -
+ +This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. - - -This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or don't configure this policy setting, the Switch account button is accessible to the user in the three locations. +If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. - - -ADMX Info: -- GP Friendly name: *Hide entry points for Fast User Switching* -- GP name: *HideFastUserSwitching* -- GP path: *System/Logon* -- GP ADMX file name: *Logon.admx* +The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. - - -The following list shows the supported values: +If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. + -- 0 (default) - Disabled (visible). -- 1 - Enabled (hidden). + + + - - -To validate on Desktop, do the following steps: + +**Description framework properties**: -1. Enable policy. -2. Verify that the Switch account button in Start is hidden. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -
+ +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled (visible). | +| 1 | Enabled (hidden). | + -## Related topics + +**Group policy mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | HideFastUserSwitching | +| Friendly Name | Hide entry points for Fast User Switching | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideFastUserSwitching | +| ADMX File Name | Logon.admx | + + + + + + + + + +## OverrideShellProgram + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram +``` + + + +This policy is used by IT admin to override the registry based shell program. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not Configured | +| 1 | Apply Lightweight shell | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 888db084cb..d1d4e1f569 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -1,920 +1,940 @@ items: - - name: Configuration service provider reference - href: index.yml +- name: Configuration service provider reference + href: index.yml + expanded: true + items: + - name: Device description framework (DDF) files + href: configuration-service-provider-ddf.md + - name: Support scenarios + href: configuration-service-provider-support.md + - name: WMI Bridge provider + items: + - name: Using PowerShell scripting with the WMI Bridge Provider + href: ../using-powershell-scripting-with-the-wmi-bridge-provider.md + - name: WMI providers supported in Windows 10 + href: ../wmi-providers-supported-in-windows.md + - name: Understanding ADMX policies + href: ../understanding-admx-backed-policies.md + items: + - name: Enable ADMX policies in MDM + href: ../enable-admx-backed-policies-in-mdm.md + - name: Win32 and Desktop Bridge app policy configuration + href: ../win32-and-centennial-app-policy-configuration.md + - name: OMA DM protocol support + href: ../oma-dm-protocol-support.md + items: + - name: Structure of OMA DM provisioning files + href: ../structure-of-oma-dm-provisioning-files.md + - name: Server requirements for OMA DM + href: ../server-requirements-windows-mdm.md + - name: Configuration service providers (CSPs) expanded: true items: - - name: Device description framework (DDF) files - href: configuration-service-provider-ddf.md - - name: Support scenarios - href: configuration-service-provider-support.md - - name: WMI Bridge provider + - name: Policy + href: policy-configuration-service-provider.md items: - - name: Using PowerShell scripting with the WMI Bridge Provider - href: ../using-powershell-scripting-with-the-wmi-bridge-provider.md - - name: WMI providers supported in Windows 10 - href: ../wmi-providers-supported-in-windows.md - - name: Understanding ADMX policies - href: ../understanding-admx-backed-policies.md + - name: Policy CSP DDF file + href: policy-ddf-file.md + - name: Policy CSP support scenarios + items: + - name: ADMX policies in Policy CSP + href: policies-in-policy-csp-admx-backed.md + - name: Policies in Policy CSP supported by Group Policy + href: policies-in-policy-csp-supported-by-group-policy.md + - name: Policies in Policy CSP supported by HoloLens 2 + href: policies-in-policy-csp-supported-by-hololens2.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite + href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition + href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md + - name: Policies in Policy CSP supported by Windows 10 IoT Core + href: policies-in-policy-csp-supported-by-iot-core.md + - name: Policies in Policy CSP supported by Microsoft Surface Hub + href: policies-in-policy-csp-supported-by-surface-hub.md + - name: Policy CSPs that can be set using Exchange Active Sync (EAS) + href: policies-in-policy-csp-that-can-be-set-using-eas.md + - name: Policy CSP areas + expanded: true + items: + - name: AboveLock + href: policy-csp-abovelock.md + - name: Accounts + href: policy-csp-accounts.md + - name: ActiveXControls + href: policy-csp-activexcontrols.md + - name: ADMX_ActiveXInstallService + href: policy-csp-admx-activexinstallservice.md + - name: ADMX_AddRemovePrograms + href: policy-csp-admx-addremoveprograms.md + - name: ADMX_AdmPwd + href: policy-csp-admx-admpwd.md + - name: ADMX_AppCompat + href: policy-csp-admx-appcompat.md + - name: ADMX_AppxPackageManager + href: policy-csp-admx-appxpackagemanager.md + - name: ADMX_AppXRuntime + href: policy-csp-admx-appxruntime.md + - name: ADMX_AttachmentManager + href: policy-csp-admx-attachmentmanager.md + - name: ADMX_AuditSettings + href: policy-csp-admx-auditsettings.md + - name: ADMX_Bits + href: policy-csp-admx-bits.md + - name: ADMX_CipherSuiteOrder + href: policy-csp-admx-ciphersuiteorder.md + - name: ADMX_COM + href: policy-csp-admx-com.md + - name: ADMX_ControlPanel + href: policy-csp-admx-controlpanel.md + - name: ADMX_ControlPanelDisplay + href: policy-csp-admx-controlpaneldisplay.md + - name: ADMX_Cpls + href: policy-csp-admx-cpls.md + - name: ADMX_CredentialProviders + href: policy-csp-admx-credentialproviders.md + - name: ADMX_CredSsp + href: policy-csp-admx-credssp.md + - name: ADMX_CredUI + href: policy-csp-admx-credui.md + - name: ADMX_CtrlAltDel + href: policy-csp-admx-ctrlaltdel.md + - name: ADMX_DataCollection + href: policy-csp-admx-datacollection.md + - name: ADMX_DCOM + href: policy-csp-admx-dcom.md + - name: ADMX_Desktop + href: policy-csp-admx-desktop.md + - name: ADMX_DeviceCompat + href: policy-csp-admx-devicecompat.md + - name: ADMX_DeviceGuard + href: policy-csp-admx-deviceguard.md + - name: ADMX_DeviceInstallation + href: policy-csp-admx-deviceinstallation.md + - name: ADMX_DeviceSetup + href: policy-csp-admx-devicesetup.md + - name: ADMX_DFS + href: policy-csp-admx-dfs.md + - name: ADMX_DigitalLocker + href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskDiagnostic + href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DistributedLinkTracking + href: policy-csp-admx-distributedlinktracking.md + - name: ADMX_DnsClient + href: policy-csp-admx-dnsclient.md + - name: ADMX_DWM + href: policy-csp-admx-dwm.md + - name: ADMX_EAIME + href: policy-csp-admx-eaime.md + - name: ADMX_EncryptFilesonMove + href: policy-csp-admx-encryptfilesonmove.md + - name: ADMX_EnhancedStorage + href: policy-csp-admx-enhancedstorage.md + - name: ADMX_ErrorReporting + href: policy-csp-admx-errorreporting.md + - name: ADMX_EventForwarding + href: policy-csp-admx-eventforwarding.md + - name: ADMX_EventLog + href: policy-csp-admx-eventlog.md + - name: ADMX_EventLogging + href: policy-csp-admx-eventlogging.md + - name: ADMX_EventViewer + href: policy-csp-admx-eventviewer.md + - name: ADMX_Explorer + href: policy-csp-admx-explorer.md + - name: ADMX_ExternalBoot + href: policy-csp-admx-externalboot.md + - name: ADMX_FileRecovery + href: policy-csp-admx-filerecovery.md + - name: ADMX_FileRevocation + href: policy-csp-admx-filerevocation.md + - name: ADMX_FileServerVSSProvider + href: policy-csp-admx-fileservervssprovider.md + - name: ADMX_FileSys + href: policy-csp-admx-filesys.md + - name: ADMX_FolderRedirection + href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md + - name: ADMX_Globalization + href: policy-csp-admx-globalization.md + - name: ADMX_GroupPolicy + href: policy-csp-admx-grouppolicy.md + - name: ADMX_Help + href: policy-csp-admx-help.md + - name: ADMX_HelpAndSupport + href: policy-csp-admx-helpandsupport.md + - name: ADMX_HotSpotAuth + href: policy-csp-admx-hotspotauth.md + - name: ADMX_ICM + href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md + - name: ADMX_kdc + href: policy-csp-admx-kdc.md + - name: ADMX_Kerberos + href: policy-csp-admx-kerberos.md + - name: ADMX_LanmanServer + href: policy-csp-admx-lanmanserver.md + - name: ADMX_LanmanWorkstation + href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md + - name: ADMX_LinkLayerTopologyDiscovery + href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md + - name: ADMX_Logon + href: policy-csp-admx-logon.md + - name: ADMX_MicrosoftDefenderAntivirus + href: policy-csp-admx-microsoftdefenderantivirus.md + - name: ADMX_MMC + href: policy-csp-admx-mmc.md + - name: ADMX_MMCSnapins + href: policy-csp-admx-mmcsnapins.md + - name: ADMX_MobilePCMobilityCenter + href: policy-csp-admx-mobilepcmobilitycenter.md + - name: ADMX_MobilePCPresentationSettings + href: policy-csp-admx-mobilepcpresentationsettings.md + - name: ADMX_MSAPolicy + href: policy-csp-admx-msapolicy.md + - name: ADMX_msched + href: policy-csp-admx-msched.md + - name: ADMX_MSDT + href: policy-csp-admx-msdt.md + - name: ADMX_MSI + href: policy-csp-admx-msi.md + - name: ADMX_MsiFileRecovery + href: policy-csp-admx-msifilerecovery.md + - name: ADMX_MSS-legacy + href: policy-csp-admx-mss-legacy.md + - name: ADMX_nca + href: policy-csp-admx-nca.md + - name: ADMX_NCSI + href: policy-csp-admx-ncsi.md + - name: ADMX_Netlogon + href: policy-csp-admx-netlogon.md + - name: ADMX_NetworkConnections + href: policy-csp-admx-networkconnections.md + - name: ADMX_OfflineFiles + href: policy-csp-admx-offlinefiles.md + - name: ADMX_pca + href: policy-csp-admx-pca.md + - name: ADMX_PeerToPeerCaching + href: policy-csp-admx-peertopeercaching.md + - name: ADMX_PenTraining + href: policy-csp-admx-pentraining.md + - name: ADMX_PerformanceDiagnostics + href: policy-csp-admx-performancediagnostics.md + - name: ADMX_Power + href: policy-csp-admx-power.md + - name: ADMX_PowerShellExecutionPolicy + href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md + - name: ADMX_Printing + href: policy-csp-admx-printing.md + - name: ADMX_Printing2 + href: policy-csp-admx-printing2.md + - name: ADMX_Programs + href: policy-csp-admx-programs.md + - name: ADMX_QOS + href: policy-csp-admx-qos.md + - name: ADMX_Reliability + href: policy-csp-admx-reliability.md + - name: ADMX_RemoteAssistance + href: policy-csp-admx-remoteassistance.md + - name: ADMX_RemovableStorage + href: policy-csp-admx-removablestorage.md + - name: ADMX_RPC + href: policy-csp-admx-rpc.md + - name: ADMX_sam + href: policy-csp-admx-sam.md + - name: ADMX_Scripts + href: policy-csp-admx-scripts.md + - name: ADMX_sdiageng + href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md + - name: ADMX_Securitycenter + href: policy-csp-admx-securitycenter.md + - name: ADMX_Sensors + href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md + - name: ADMX_Servicing + href: policy-csp-admx-servicing.md + - name: ADMX_SettingSync + href: policy-csp-admx-settingsync.md + - name: ADMX_SharedFolders + href: policy-csp-admx-sharedfolders.md + - name: ADMX_Sharing + href: policy-csp-admx-sharing.md + - name: ADMX_ShellCommandPromptRegEditTools + href: policy-csp-admx-shellcommandpromptregedittools.md + - name: ADMX_Smartcard + href: policy-csp-admx-smartcard.md + - name: ADMX_Snmp + href: policy-csp-admx-snmp.md + - name: ADMX_StartMenu + href: policy-csp-admx-startmenu.md + - name: ADMX_SystemRestore + href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletPCInputPanel + href: policy-csp-admx-tabletpcinputpanel.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md + - name: ADMX_Taskbar + href: policy-csp-admx-taskbar.md + - name: ADMX_tcpip + href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md + - name: ADMX_Thumbnails + href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md + - name: ADMX_TPM + href: policy-csp-admx-tpm.md + - name: ADMX_UserExperienceVirtualization + href: policy-csp-admx-userexperiencevirtualization.md + - name: ADMX_UserProfiles + href: policy-csp-admx-userprofiles.md + - name: ADMX_W32Time + href: policy-csp-admx-w32time.md + - name: ADMX_WCM + href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md + - name: ADMX_WinCal + href: policy-csp-admx-wincal.md + - name: ADMX_WindowsConnectNow + href: policy-csp-admx-windowsconnectnow.md + - name: ADMX_WindowsExplorer + href: policy-csp-admx-windowsexplorer.md + - name: ADMX_WindowsMediaDRM + href: policy-csp-admx-windowsmediadrm.md + - name: ADMX_WindowsMediaPlayer + href: policy-csp-admx-windowsmediaplayer.md + - name: ADMX_WindowsRemoteManagement + href: policy-csp-admx-windowsremotemanagement.md + - name: ADMX_WindowsStore + href: policy-csp-admx-windowsstore.md + - name: ADMX_WinInit + href: policy-csp-admx-wininit.md + - name: ADMX_WinLogon + href: policy-csp-admx-winlogon.md + - name: ADMX_wlansvc + href: policy-csp-admx-wlansvc.md + - name: ADMX_WordWheel + href: policy-csp-admx-wordwheel.md + - name: ADMX_WorkFoldersClient + href: policy-csp-admx-workfoldersclient.md + - name: ADMX_WPN + href: policy-csp-admx-wpn.md + - name: ADMX-Winsrv + href: policy-csp-admx-winsrv.md + - name: ApplicationDefaults + href: policy-csp-applicationdefaults.md + - name: ApplicationManagement + href: policy-csp-applicationmanagement.md + - name: AppRuntime + href: policy-csp-appruntime.md + - name: AppVirtualization + href: policy-csp-appvirtualization.md + - name: AttachmentManager + href: policy-csp-attachmentmanager.md + - name: Audit + href: policy-csp-audit.md + - name: Authentication + href: policy-csp-authentication.md + - name: Autoplay + href: policy-csp-autoplay.md + - name: BitLocker + href: policy-csp-bitlocker.md + - name: BITS + href: policy-csp-bits.md + - name: Bluetooth + href: policy-csp-bluetooth.md + - name: Browser + href: policy-csp-browser.md + - name: Camera + href: policy-csp-camera.md + - name: Cellular + href: policy-csp-cellular.md + - name: CloudDesktop + href: policy-csp-clouddesktop.md + - name: CloudPC + href: policy-csp-cloudpc.md + - name: Connectivity + href: policy-csp-connectivity.md + - name: ControlPolicyConflict + href: policy-csp-controlpolicyconflict.md + - name: CredentialProviders + href: policy-csp-credentialproviders.md + - name: CredentialsDelegation + href: policy-csp-credentialsdelegation.md + - name: CredentialsUI + href: policy-csp-credentialsui.md + - name: Cryptography + href: policy-csp-cryptography.md + - name: DataProtection + href: policy-csp-dataprotection.md + - name: DataUsage + href: policy-csp-datausage.md + - name: Defender + href: policy-csp-defender.md + - name: DeliveryOptimization + href: policy-csp-deliveryoptimization.md + - name: Desktop + href: policy-csp-desktop.md + - name: DesktopAppInstaller + href: policy-csp-desktopappinstaller.md + - name: DeviceGuard + href: policy-csp-deviceguard.md + - name: DeviceHealthMonitoring + href: policy-csp-devicehealthmonitoring.md + - name: DeviceInstallation + href: policy-csp-deviceinstallation.md + - name: DeviceLock + href: policy-csp-devicelock.md + - name: Display + href: policy-csp-display.md + - name: DmaGuard + href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md + - name: Education + href: policy-csp-education.md + - name: EnterpriseCloudPrint + href: policy-csp-enterprisecloudprint.md + - name: ErrorReporting + href: policy-csp-errorreporting.md + - name: EventLogService + href: policy-csp-eventlogservice.md + - name: Experience + href: policy-csp-experience.md + - name: ExploitGuard + href: policy-csp-exploitguard.md + - name: Federated Authentication + href: policy-csp-federatedauthentication.md + - name: Feeds + href: policy-csp-feeds.md + - name: FileExplorer + href: policy-csp-fileexplorer.md + - name: Games + href: policy-csp-games.md + - name: Handwriting + href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md + - name: InternetExplorer + href: policy-csp-internetexplorer.md + - name: Kerberos + href: policy-csp-kerberos.md + - name: KioskBrowser + href: policy-csp-kioskbrowser.md + - name: LanmanWorkstation + href: policy-csp-lanmanworkstation.md + - name: Licensing + href: policy-csp-licensing.md + - name: LocalPoliciesSecurityOptions + href: policy-csp-localpoliciessecurityoptions.md + - name: LocalSecurityAuthority + href: policy-csp-lsa.md + - name: LocalUsersAndGroups + href: policy-csp-localusersandgroups.md + - name: LockDown + href: policy-csp-lockdown.md + - name: Maps + href: policy-csp-maps.md + - name: MemoryDump + href: policy-csp-memorydump.md + - name: Messaging + href: policy-csp-messaging.md + - name: MixedReality + href: policy-csp-mixedreality.md + - name: MSSecurityGuide + href: policy-csp-mssecurityguide.md + - name: MSSLegacy + href: policy-csp-msslegacy.md + - name: Multitasking + href: policy-csp-multitasking.md + - name: NetworkIsolation + href: policy-csp-networkisolation.md + - name: NetworkListManager + href: policy-csp-networklistmanager.md + - name: NewsAndInterests + href: policy-csp-newsandinterests.md + - name: Notifications + href: policy-csp-notifications.md + - name: Power + href: policy-csp-power.md + - name: Printers + href: policy-csp-printers.md + - name: Privacy + href: policy-csp-privacy.md + - name: RemoteAssistance + href: policy-csp-remoteassistance.md + - name: RemoteDesktop + href: policy-csp-remotedesktop.md + - name: RemoteDesktopServices + href: policy-csp-remotedesktopservices.md + - name: RemoteManagement + href: policy-csp-remotemanagement.md + - name: RemoteProcedureCall + href: policy-csp-remoteprocedurecall.md + - name: RemoteShell + href: policy-csp-remoteshell.md + - name: RestrictedGroups + href: policy-csp-restrictedgroups.md + - name: Search + href: policy-csp-search.md + - name: Security + href: policy-csp-security.md + - name: ServiceControlManager + href: policy-csp-servicecontrolmanager.md + - name: Settings + href: policy-csp-settings.md + - name: SettingsSync + href: policy-csp-settingssync.md + - name: Speech + href: policy-csp-speech.md + - name: Start + href: policy-csp-start.md + - name: Stickers + href: policy-csp-stickers.md + - name: Storage + href: policy-csp-storage.md + - name: System + href: policy-csp-system.md + - name: SystemServices + href: policy-csp-systemservices.md + - name: TaskManager + href: policy-csp-taskmanager.md + - name: TaskScheduler + href: policy-csp-taskscheduler.md + - name: TenantDefinedTelemetry + href: policy-csp-tenantdefinedtelemetry.md + - name: TenantRestrictions + href: policy-csp-tenantrestrictions.md + - name: TextInput + href: policy-csp-textinput.md + - name: TimeLanguageSettings + href: policy-csp-timelanguagesettings.md + - name: Troubleshooting + href: policy-csp-troubleshooting.md + - name: Update + href: policy-csp-update.md + - name: UserRights + href: policy-csp-userrights.md + - name: VirtualizationBasedTechnology + href: policy-csp-virtualizationbasedtechnology.md + - name: WebThreatDefense + href: policy-csp-webthreatdefense.md + - name: Wifi + href: policy-csp-wifi.md + - name: WindowsAutoPilot + href: policy-csp-windowsautopilot.md + - name: WindowsConnectionManager + href: policy-csp-windowsconnectionmanager.md + - name: WindowsDefenderSecurityCenter + href: policy-csp-windowsdefendersecuritycenter.md + - name: WindowsDefenderSmartScreen + href: policy-csp-smartscreen.md + - name: WindowsInkWorkspace + href: policy-csp-windowsinkworkspace.md + - name: WindowsLogon + href: policy-csp-windowslogon.md + - name: WindowsPowerShell + href: policy-csp-windowspowershell.md + - name: WindowsSandbox + href: policy-csp-windowssandbox.md + - name: WirelessDisplay + href: policy-csp-wirelessdisplay.md + - name: AccountManagement + href: accountmanagement-csp.md items: - - name: Enable ADMX policies in MDM - href: ../enable-admx-backed-policies-in-mdm.md - - name: Win32 and Desktop Bridge app policy configuration - href: ../win32-and-centennial-app-policy-configuration.md - - name: OMA DM protocol support - href: ../oma-dm-protocol-support.md + - name: AccountManagement DDF file + href: accountmanagement-ddf.md + - name: Accounts + href: accounts-csp.md items: - - name: Structure of OMA DM provisioning files - href: ../structure-of-oma-dm-provisioning-files.md - - name: Server requirements for OMA DM - href: ../server-requirements-windows-mdm.md - - name: Configuration service providers (CSPs) - expanded: true + - name: Accounts DDF file + href: accounts-ddf-file.md + - name: ActiveSync + href: activesync-csp.md items: - - name: Policy - href: policy-configuration-service-provider.md - items: - - name: Policy CSP DDF file - href: policy-ddf-file.md - - name: Policy CSP support scenarios - items: - - name: ADMX policies in Policy CSP - href: policies-in-policy-csp-admx-backed.md - - name: Policies in Policy CSP supported by Group Policy - href: policies-in-policy-csp-supported-by-group-policy.md - - name: Policies in Policy CSP supported by HoloLens 2 - href: policies-in-policy-csp-supported-by-hololens2.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite - href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition - href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md - - name: Policies in Policy CSP supported by Windows 10 IoT Core - href: policies-in-policy-csp-supported-by-iot-core.md - - name: Policies in Policy CSP supported by Microsoft Surface Hub - href: policies-in-policy-csp-supported-by-surface-hub.md - - name: Policy CSPs that can be set using Exchange Active Sync (EAS) - href: policies-in-policy-csp-that-can-be-set-using-eas.md - - name: Policy CSP areas - expanded: true - items: - - name: AboveLock - href: policy-csp-abovelock.md - - name: Accounts - href: policy-csp-accounts.md - - name: ActiveXControls - href: policy-csp-activexcontrols.md - - name: ADMX_ActiveXInstallService - href: policy-csp-admx-activexinstallservice.md - - name: ADMX_AddRemovePrograms - href: policy-csp-admx-addremoveprograms.md - - name: ADMX_AdmPwd - href: policy-csp-admx-admpwd.md - - name: ADMX_AppCompat - href: policy-csp-admx-appcompat.md - - name: ADMX_AppxPackageManager - href: policy-csp-admx-appxpackagemanager.md - - name: ADMX_AppXRuntime - href: policy-csp-admx-appxruntime.md - - name: ADMX_AttachmentManager - href: policy-csp-admx-attachmentmanager.md - - name: ADMX_AuditSettings - href: policy-csp-admx-auditsettings.md - - name: ADMX_Bits - href: policy-csp-admx-bits.md - - name: ADMX_CipherSuiteOrder - href: policy-csp-admx-ciphersuiteorder.md - - name: ADMX_COM - href: policy-csp-admx-com.md - - name: ADMX_ControlPanel - href: policy-csp-admx-controlpanel.md - - name: ADMX_ControlPanelDisplay - href: policy-csp-admx-controlpaneldisplay.md - - name: ADMX_Cpls - href: policy-csp-admx-cpls.md - - name: ADMX_CredentialProviders - href: policy-csp-admx-credentialproviders.md - - name: ADMX_CredSsp - href: policy-csp-admx-credssp.md - - name: ADMX_CredUI - href: policy-csp-admx-credui.md - - name: ADMX_CtrlAltDel - href: policy-csp-admx-ctrlaltdel.md - - name: ADMX_DataCollection - href: policy-csp-admx-datacollection.md - - name: ADMX_DCOM - href: policy-csp-admx-dcom.md - - name: ADMX_Desktop - href: policy-csp-admx-desktop.md - - name: ADMX_DeviceCompat - href: policy-csp-admx-devicecompat.md - - name: ADMX_DeviceGuard - href: policy-csp-admx-deviceguard.md - - name: ADMX_DeviceInstallation - href: policy-csp-admx-deviceinstallation.md - - name: ADMX_DeviceSetup - href: policy-csp-admx-devicesetup.md - - name: ADMX_DFS - href: policy-csp-admx-dfs.md - - name: ADMX_DigitalLocker - href: policy-csp-admx-digitallocker.md - - name: ADMX_DiskDiagnostic - href: policy-csp-admx-diskdiagnostic.md - - name: ADMX_DistributedLinkTracking - href: policy-csp-admx-distributedlinktracking.md - - name: ADMX_DnsClient - href: policy-csp-admx-dnsclient.md - - name: ADMX_DWM - href: policy-csp-admx-dwm.md - - name: ADMX_EAIME - href: policy-csp-admx-eaime.md - - name: ADMX_EncryptFilesonMove - href: policy-csp-admx-encryptfilesonmove.md - - name: ADMX_EventLogging - href: policy-csp-admx-eventlogging.md - - name: ADMX_EnhancedStorage - href: policy-csp-admx-enhancedstorage.md - - name: ADMX_ErrorReporting - href: policy-csp-admx-errorreporting.md - - name: ADMX_EventForwarding - href: policy-csp-admx-eventforwarding.md - - name: ADMX_EventLog - href: policy-csp-admx-eventlog.md - - name: ADMX_EventViewer - href: policy-csp-admx-eventviewer.md - - name: ADMX_Explorer - href: policy-csp-admx-explorer.md - - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: ADMX_FileRecovery - href: policy-csp-admx-filerecovery.md - - name: ADMX_FileRevocation - href: policy-csp-admx-filerevocation.md - - name: ADMX_FileServerVSSProvider - href: policy-csp-admx-fileservervssprovider.md - - name: ADMX_FileSys - href: policy-csp-admx-filesys.md - - name: ADMX_FolderRedirection - href: policy-csp-admx-folderredirection.md - - name: ADMX_FramePanes - href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC - href: policy-csp-admx-fthsvc.md - - name: ADMX_Globalization - href: policy-csp-admx-globalization.md - - name: ADMX_GroupPolicy - href: policy-csp-admx-grouppolicy.md - - name: ADMX_Help - href: policy-csp-admx-help.md - - name: ADMX_HelpAndSupport - href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth - href: policy-csp-admx-hotspotauth.md - - name: ADMX_ICM - href: policy-csp-admx-icm.md - - name: ADMX_IIS - href: policy-csp-admx-iis.md - - name: ADMX_iSCSI - href: policy-csp-admx-iscsi.md - - name: ADMX_kdc - href: policy-csp-admx-kdc.md - - name: ADMX_Kerberos - href: policy-csp-admx-kerberos.md - - name: ADMX_LanmanServer - href: policy-csp-admx-lanmanserver.md - - name: ADMX_LanmanWorkstation - href: policy-csp-admx-lanmanworkstation.md - - name: ADMX_LeakDiagnostic - href: policy-csp-admx-leakdiagnostic.md - - name: ADMX_LinkLayerTopologyDiscovery - href: policy-csp-admx-linklayertopologydiscovery.md - - name: ADMX_LocationProviderAdm - href: policy-csp-admx-locationprovideradm.md - - name: ADMX_Logon - href: policy-csp-admx-logon.md - - name: ADMX_MicrosoftDefenderAntivirus - href: policy-csp-admx-microsoftdefenderantivirus.md - - name: ADMX_MMC - href: policy-csp-admx-mmc.md - - name: ADMX_MMCSnapins - href: policy-csp-admx-mmcsnapins.md - - name: ADMX_MobilePCMobilityCenter - href: policy-csp-admx-mobilepcmobilitycenter.md - - name: ADMX_MobilePCPresentationSettings - href: policy-csp-admx-mobilepcpresentationsettings.md - - name: ADMX_MSAPolicy - href: policy-csp-admx-msapolicy.md - - name: ADMX_msched - href: policy-csp-admx-msched.md - - name: ADMX_MSDT - href: policy-csp-admx-msdt.md - - name: ADMX_MSI - href: policy-csp-admx-msi.md - - name: ADMX_MsiFileRecovery - href: policy-csp-admx-msifilerecovery.md - - name: ADMX_nca - href: policy-csp-admx-nca.md - - name: ADMX_NCSI - href: policy-csp-admx-ncsi.md - - name: ADMX_Netlogon - href: policy-csp-admx-netlogon.md - - name: ADMX_NetworkConnections - href: policy-csp-admx-networkconnections.md - - name: ADMX_OfflineFiles - href: policy-csp-admx-offlinefiles.md - - name: ADMX_pca - href: policy-csp-admx-pca.md - - name: ADMX_PeerToPeerCaching - href: policy-csp-admx-peertopeercaching.md - - name: ADMX_PenTraining - href: policy-csp-admx-pentraining.md - - name: ADMX_PerformanceDiagnostics - href: policy-csp-admx-performancediagnostics.md - - name: ADMX_Power - href: policy-csp-admx-power.md - - name: ADMX_PowerShellExecutionPolicy - href: policy-csp-admx-powershellexecutionpolicy.md - - name: ADMX_PreviousVersions - href: policy-csp-admx-previousversions.md - - name: ADMX_Printing - href: policy-csp-admx-printing.md - - name: ADMX_Printing2 - href: policy-csp-admx-printing2.md - - name: ADMX_Programs - href: policy-csp-admx-programs.md - - name: ADMX_Reliability - href: policy-csp-admx-reliability.md - - name: ADMX_RemoteAssistance - href: policy-csp-admx-remoteassistance.md - - name: ADMX_RemovableStorage - href: policy-csp-admx-removablestorage.md - - name: ADMX_RPC - href: policy-csp-admx-rpc.md - - name: ADMX_Scripts - href: policy-csp-admx-scripts.md - - name: ADMX_sdiageng - href: policy-csp-admx-sdiageng.md - - name: ADMX_sdiagschd - href: policy-csp-admx-sdiagschd.md - - name: ADMX_Securitycenter - href: policy-csp-admx-securitycenter.md - - name: ADMX_Sensors - href: policy-csp-admx-sensors.md - - name: ADMX_ServerManager - href: policy-csp-admx-servermanager.md - - name: ADMX_Servicing - href: policy-csp-admx-servicing.md - - name: ADMX_SettingSync - href: policy-csp-admx-settingsync.md - - name: ADMX_SharedFolders - href: policy-csp-admx-sharedfolders.md - - name: ADMX_Sharing - href: policy-csp-admx-sharing.md - - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md - - name: ADMX_Smartcard - href: policy-csp-admx-smartcard.md - - name: ADMX_Snmp - href: policy-csp-admx-snmp.md - - name: ADMX_StartMenu - href: policy-csp-admx-startmenu.md - - name: ADMX_SystemRestore - href: policy-csp-admx-systemrestore.md - - name: ADMX_TabletShell - href: policy-csp-admx-tabletshell.md - - name: ADMX_Taskbar - href: policy-csp-admx-taskbar.md - - name: ADMX_tcpip - href: policy-csp-admx-tcpip.md - - name: ADMX_TerminalServer - href: policy-csp-admx-terminalserver.md - - name: ADMX_Thumbnails - href: policy-csp-admx-thumbnails.md - - name: ADMX_TouchInput - href: policy-csp-admx-touchinput.md - - name: ADMX_TPM - href: policy-csp-admx-tpm.md - - name: ADMX_UserExperienceVirtualization - href: policy-csp-admx-userexperiencevirtualization.md - - name: ADMX_UserProfiles - href: policy-csp-admx-userprofiles.md - - name: ADMX_W32Time - href: policy-csp-admx-w32time.md - - name: ADMX_WCM - href: policy-csp-admx-wcm.md - - name: ADMX_WDI - href: policy-csp-admx-wdi.md - - name: ADMX_WinCal - href: policy-csp-admx-wincal.md - - name: ADMX_WindowsConnectNow - href: policy-csp-admx-windowsconnectnow.md - - name: ADMX_WindowsExplorer - href: policy-csp-admx-windowsexplorer.md - - name: ADMX_WindowsMediaDRM - href: policy-csp-admx-windowsmediadrm.md - - name: ADMX_WindowsMediaPlayer - href: policy-csp-admx-windowsmediaplayer.md - - name: ADMX_WindowsRemoteManagement - href: policy-csp-admx-windowsremotemanagement.md - - name: ADMX_WindowsStore - href: policy-csp-admx-windowsstore.md - - name: ADMX_WinInit - href: policy-csp-admx-wininit.md - - name: ADMX_WinLogon - href: policy-csp-admx-winlogon.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - - name: ADMX_wlansvc - href: policy-csp-admx-wlansvc.md - - name: ADMX_WordWheel - href: policy-csp-admx-wordwheel.md - - name: ADMX_WorkFoldersClient - href: policy-csp-admx-workfoldersclient.md - - name: ADMX_WPN - href: policy-csp-admx-wpn.md - - name: ApplicationDefaults - href: policy-csp-applicationdefaults.md - - name: ApplicationManagement - href: policy-csp-applicationmanagement.md - - name: AppRuntime - href: policy-csp-appruntime.md - - name: AppVirtualization - href: policy-csp-appvirtualization.md - - name: AttachmentManager - href: policy-csp-attachmentmanager.md - - name: Audit - href: policy-csp-audit.md - - name: Authentication - href: policy-csp-authentication.md - - name: Autoplay - href: policy-csp-autoplay.md - - name: BitLocker - href: policy-csp-bitlocker.md - - name: BITS - href: policy-csp-bits.md - - name: Bluetooth - href: policy-csp-bluetooth.md - - name: Browser - href: policy-csp-browser.md - - name: Camera - href: policy-csp-camera.md - - name: Cellular - href: policy-csp-cellular.md - - name: Connectivity - href: policy-csp-connectivity.md - - name: ControlPolicyConflict - href: policy-csp-controlpolicyconflict.md - - name: CredentialsDelegation - href: policy-csp-credentialsdelegation.md - - name: CredentialProviders - href: policy-csp-credentialproviders.md - - name: CredentialsUI - href: policy-csp-credentialsui.md - - name: Cryptography - href: policy-csp-cryptography.md - - name: DataProtection - href: policy-csp-dataprotection.md - - name: DataUsage - href: policy-csp-datausage.md - - name: Defender - href: policy-csp-defender.md - - name: DeliveryOptimization - href: policy-csp-deliveryoptimization.md - - name: Desktop - href: policy-csp-desktop.md - - name: DesktopAppInstaller - href: policy-csp-desktopappinstaller.md - - name: DeviceGuard - href: policy-csp-deviceguard.md - - name: DeviceHealthMonitoring - href: policy-csp-devicehealthmonitoring.md - - name: DeviceInstallation - href: policy-csp-deviceinstallation.md - - name: DeviceLock - href: policy-csp-devicelock.md - - name: Display - href: policy-csp-display.md - - name: DmaGuard - href: policy-csp-dmaguard.md - - name: EAP - href: policy-csp-eap.md - - name: Education - href: policy-csp-education.md - - name: EnterpriseCloudPrint - href: policy-csp-enterprisecloudprint.md - - name: ErrorReporting - href: policy-csp-errorreporting.md - - name: EventLogService - href: policy-csp-eventlogservice.md - - name: Experience - href: policy-csp-experience.md - - name: ExploitGuard - href: policy-csp-exploitguard.md - - name: Federated Authentication - href: policy-csp-federatedauthentication.md - - name: Feeds - href: policy-csp-feeds.md - - name: FileExplorer - href: policy-csp-fileexplorer.md - - name: Games - href: policy-csp-games.md - - name: Handwriting - href: policy-csp-handwriting.md - - name: HumanPresence - href: policy-csp-humanpresence.md - - name: InternetExplorer - href: policy-csp-internetexplorer.md - - name: Kerberos - href: policy-csp-kerberos.md - - name: KioskBrowser - href: policy-csp-kioskbrowser.md - - name: LanmanWorkstation - href: policy-csp-lanmanworkstation.md - - name: Licensing - href: policy-csp-licensing.md - - name: LocalPoliciesSecurityOptions - href: policy-csp-localpoliciessecurityoptions.md - - name: LocalSecurityAuthority - href: policy-csp-lsa.md - - name: LocalUsersAndGroups - href: policy-csp-localusersandgroups.md - - name: LockDown - href: policy-csp-lockdown.md - - name: Maps - href: policy-csp-maps.md - - name: MemoryDump - href: policy-csp-memorydump.md - - name: Messaging - href: policy-csp-messaging.md - - name: MixedReality - href: policy-csp-mixedreality.md - - name: MSSecurityGuide - href: policy-csp-mssecurityguide.md - - name: MSSLegacy - href: policy-csp-msslegacy.md - - name: Multitasking - href: policy-csp-multitasking.md - - name: NetworkIsolation - href: policy-csp-networkisolation.md - - name: NetworkListManager - href: policy-csp-networklistmanager.md - - name: NewsAndInterests - href: policy-csp-newsandinterests.md - - name: Notifications - href: policy-csp-notifications.md - - name: Power - href: policy-csp-power.md - - name: Printers - href: policy-csp-printers.md - - name: Privacy - href: policy-csp-privacy.md - - name: RemoteAssistance - href: policy-csp-remoteassistance.md - - name: RemoteDesktop - href: policy-csp-remotedesktop.md - - name: RemoteDesktopServices - href: policy-csp-remotedesktopservices.md - - name: RemoteManagement - href: policy-csp-remotemanagement.md - - name: RemoteProcedureCall - href: policy-csp-remoteprocedurecall.md - - name: RemoteShell - href: policy-csp-remoteshell.md - - name: RestrictedGroups - href: policy-csp-restrictedgroups.md - - name: Search - href: policy-csp-search.md - - name: Security - href: policy-csp-security.md - - name: ServiceControlManager - href: policy-csp-servicecontrolmanager.md - - name: Settings - href: policy-csp-settings.md - - name: Speech - href: policy-csp-speech.md - - name: Start - href: policy-csp-start.md - - name: Storage - href: policy-csp-storage.md - - name: System - href: policy-csp-system.md - - name: SystemServices - href: policy-csp-systemservices.md - - name: TaskManager - href: policy-csp-taskmanager.md - - name: TaskScheduler - href: policy-csp-taskscheduler.md - - name: TextInput - href: policy-csp-textinput.md - - name: TimeLanguageSettings - href: policy-csp-timelanguagesettings.md - - name: Troubleshooting - href: policy-csp-troubleshooting.md - - name: Update - href: policy-csp-update.md - - name: UserRights - href: policy-csp-userrights.md - - name: VirtualizationBasedTechnology - href: policy-csp-virtualizationbasedtechnology.md - - name: WebThreatDefense - href: policy-csp-webthreatdefense.md - - name: Wifi - href: policy-csp-wifi.md - - name: WindowsAutoPilot - href: policy-csp-windowsautopilot.md - - name: WindowsConnectionManager - href: policy-csp-windowsconnectionmanager.md - - name: WindowsDefenderSecurityCenter - href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - - name: WindowsInkWorkspace - href: policy-csp-windowsinkworkspace.md - - name: WindowsLogon - href: policy-csp-windowslogon.md - - name: WindowsPowerShell - href: policy-csp-windowspowershell.md - - name: WindowsSandbox - href: policy-csp-windowssandbox.md - - name: WirelessDisplay - href: policy-csp-wirelessdisplay.md - - name: AccountManagement - href: accountmanagement-csp.md - items: - - name: AccountManagement DDF file - href: accountmanagement-ddf.md - - name: Accounts - href: accounts-csp.md - items: - - name: Accounts DDF file - href: accounts-ddf-file.md - - name: ActiveSync - href: activesync-csp.md - items: - - name: ActiveSync DDF file - href: activesync-ddf-file.md - - name: AllJoynManagement - href: alljoynmanagement-csp.md - items: - - name: AllJoynManagement DDF - href: alljoynmanagement-ddf.md - - name: APPLICATION - href: application-csp.md - - name: ApplicationControl - href: applicationcontrol-csp.md - items: - - name: ApplicationControl DDF file - href: applicationcontrol-csp-ddf.md - - name: AppLocker - href: applocker-csp.md - items: - - name: AppLocker DDF file - href: applocker-ddf-file.md - - name: AppLocker XSD - href: applocker-xsd.md - - name: AssignedAccess - href: assignedaccess-csp.md - items: - - name: AssignedAccess DDF file - href: assignedaccess-ddf.md - - name: BitLocker - href: bitlocker-csp.md - items: - - name: BitLocker DDF file - href: bitlocker-ddf-file.md - - name: CellularSettings - href: cellularsettings-csp.md - - name: CertificateStore - href: certificatestore-csp.md - items: - - name: CertificateStore DDF file - href: certificatestore-ddf-file.md - - name: CleanPC - href: cleanpc-csp.md - items: - - name: CleanPC DDF - href: cleanpc-ddf.md - - name: ClientCertificateInstall - href: clientcertificateinstall-csp.md - items: - - name: ClientCertificateInstall DDF file - href: clientcertificateinstall-ddf-file.md - - name: CM_CellularEntries - href: cm-cellularentries-csp.md - - name: CMPolicy - href: cmpolicy-csp.md - - name: CMPolicyEnterprise - href: cmpolicyenterprise-csp.md - items: - - name: CMPolicyEnterprise DDF file - href: cmpolicyenterprise-ddf-file.md - - name: CustomDeviceUI - href: customdeviceui-csp.md - items: - - name: CustomDeviceUI DDF file - href: customdeviceui-ddf.md - - name: Defender - href: defender-csp.md - items: - - name: Defender DDF file - href: defender-ddf.md - - name: DevDetail - href: devdetail-csp.md - items: - - name: DevDetail DDF file - href: devdetail-ddf-file.md - - name: DeveloperSetup - href: developersetup-csp.md - items: - - name: DeveloperSetup DDF - href: developersetup-ddf.md - - name: DeviceLock - href: devicelock-csp.md - items: - - name: DeviceLock DDF file - href: devicelock-ddf-file.md - - name: DeviceManageability - href: devicemanageability-csp.md - items: - - name: DeviceManageability DDF - href: devicemanageability-ddf.md - - name: DeviceStatus - href: devicestatus-csp.md - items: - - name: DeviceStatus DDF - href: devicestatus-ddf.md - - name: DevInfo - href: devinfo-csp.md - items: - - name: DevInfo DDF file - href: devinfo-ddf-file.md - - name: DiagnosticLog - href: diagnosticlog-csp.md - items: - - name: DiagnosticLog DDF file - href: diagnosticlog-ddf.md - - name: DMAcc - href: dmacc-csp.md - items: - - name: DMAcc DDF file - href: dmacc-ddf-file.md - - name: DMClient - href: dmclient-csp.md - items: - - name: DMClient DDF file - href: dmclient-ddf-file.md - - name: DMSessionActions - href: dmsessionactions-csp.md - items: - - name: DMSessionActions DDF file - href: dmsessionactions-ddf.md - - name: DynamicManagement - href: dynamicmanagement-csp.md - items: - - name: DynamicManagement DDF file - href: dynamicmanagement-ddf.md - - name: EMAIL2 - href: email2-csp.md - items: - - name: EMAIL2 DDF file - href: email2-ddf-file.md - - name: EnrollmentStatusTracking - href: enrollmentstatustracking-csp.md - items: - - name: EnrollmentStatusTracking DDF file - href: enrollmentstatustracking-csp-ddf.md - - name: EnterpriseAPN - href: enterpriseapn-csp.md - items: - - name: EnterpriseAPN DDF - href: enterpriseapn-ddf.md - - name: EnterpriseAppVManagement - href: enterpriseappvmanagement-csp.md - items: - - name: EnterpriseAppVManagement DDF file - href: enterpriseappvmanagement-ddf.md - - name: EnterpriseDataProtection - href: enterprisedataprotection-csp.md - items: - - name: EnterpriseDataProtection DDF file - href: enterprisedataprotection-ddf-file.md - - name: EnterpriseDesktopAppManagement - href: enterprisedesktopappmanagement-csp.md - items: - - name: EnterpriseDesktopAppManagement DDF - href: enterprisedesktopappmanagement-ddf-file.md - - name: EnterpriseDesktopAppManagement XSD - href: enterprisedesktopappmanagement2-xsd.md - - name: EnterpriseModernAppManagement - href: enterprisemodernappmanagement-csp.md - items: - - name: EnterpriseModernAppManagement DDF - href: enterprisemodernappmanagement-ddf.md - - name: EnterpriseModernAppManagement XSD - href: enterprisemodernappmanagement-xsd.md - - name: eUICCs - href: euiccs-csp.md - items: - - name: eUICCs DDF file - href: euiccs-ddf-file.md - - name: Firewall - href: firewall-csp.md - items: - - name: Firewall DDF file - href: firewall-ddf-file.md - - name: HealthAttestation - href: healthattestation-csp.md - items: - - name: HealthAttestation DDF - href: healthattestation-ddf.md - - name: Local Administrator Password Solution - href: laps-csp.md - items: - - name: Local Administrator Password Solution DDF - href: laps-ddf-file.md - - name: MultiSIM - href: multisim-csp.md - items: - - name: MultiSIM DDF file - href: multisim-ddf.md - - name: NAP - href: nap-csp.md - - name: NAPDEF - href: napdef-csp.md - - name: NetworkProxy - href: networkproxy-csp.md - items: - - name: NetworkProxy DDF file - href: networkproxy-ddf.md - - name: NetworkQoSPolicy - href: networkqospolicy-csp.md - items: - - name: NetworkQoSPolicy DDF file - href: networkqospolicy-ddf.md - - name: NodeCache - href: nodecache-csp.md - items: - - name: NodeCache DDF file - href: nodecache-ddf-file.md - - name: Office - href: office-csp.md - items: - - name: Office DDF - href: office-ddf.md - - name: PassportForWork - href: passportforwork-csp.md - items: - - name: PassportForWork DDF file - href: passportforwork-ddf.md - - name: PersonalDataEncryption - href: personaldataencryption-csp.md - items: - - name: PersonalDataEncryption DDF file - href: personaldataencryption-ddf-file.md - - name: Personalization - href: personalization-csp.md - items: - - name: Personalization DDF file - href: personalization-ddf.md - - name: Provisioning - href: provisioning-csp.md - - name: PXLOGICAL - href: pxlogical-csp.md - - name: Reboot - href: reboot-csp.md - items: - - name: Reboot DDF file - href: reboot-ddf-file.md - - name: RemoteFind - href: remotefind-csp.md - items: - - name: RemoteFind DDF file - href: remotefind-ddf-file.md - - name: RemoteWipe - href: remotewipe-csp.md - items: - - name: RemoteWipe DDF file - href: remotewipe-ddf-file.md - - name: Reporting - href: reporting-csp.md - items: - - name: Reporting DDF file - href: reporting-ddf-file.md - - name: RootCATrustedCertificates - href: rootcacertificates-csp.md - items: - - name: RootCATrustedCertificates DDF file - href: rootcacertificates-ddf-file.md - - name: SecureAssessment - href: secureassessment-csp.md - items: - - name: SecureAssessment DDF file - href: secureassessment-ddf-file.md - - name: SecurityPolicy - href: securitypolicy-csp.md - - name: SharedPC - href: sharedpc-csp.md - items: - - name: SharedPC DDF file - href: sharedpc-ddf-file.md - - name: Storage - href: storage-csp.md - items: - - name: Storage DDF file - href: storage-ddf-file.md - - name: SUPL - href: supl-csp.md - items: - - name: SUPL DDF file - href: supl-ddf-file.md - - name: SurfaceHub - href: surfacehub-csp.md - items: - - name: SurfaceHub DDF file - href: surfacehub-ddf-file.md - - name: TenantLockdown - href: tenantlockdown-csp.md - items: - - name: TenantLockdown DDF file - href: tenantlockdown-ddf.md - - name: TPMPolicy - href: tpmpolicy-csp.md - items: - - name: TPMPolicy DDF file - href: tpmpolicy-ddf-file.md - - name: UEFI - href: uefi-csp.md - items: - - name: UEFI DDF file - href: uefi-ddf.md - - name: UnifiedWriteFilter - href: unifiedwritefilter-csp.md - items: - - name: UnifiedWriteFilter DDF file - href: unifiedwritefilter-ddf.md - - name: UniversalPrint - href: universalprint-csp.md - items: - - name: UniversalPrint DDF file - href: universalprint-ddf-file.md - - name: Update - href: update-csp.md - items: - - name: Update DDF file - href: update-ddf-file.md - - name: VPN - href: vpn-csp.md - items: - - name: VPN DDF file - href: vpn-ddf-file.md - - name: VPNv2 - href: vpnv2-csp.md - items: - - name: VPNv2 DDF file - href: vpnv2-ddf-file.md - - name: ProfileXML XSD - href: vpnv2-profile-xsd.md - - name: EAP configuration - href: eap-configuration.md - - name: w4 APPLICATION - href: w4-application-csp.md - - name: w7 APPLICATION - href: w7-application-csp.md - - name: WiFi - href: wifi-csp.md - items: - - name: WiFi DDF file - href: wifi-ddf-file.md - - name: Win32AppInventory - href: win32appinventory-csp.md - items: - - name: Win32AppInventory DDF file - href: win32appinventory-ddf-file.md - - name: Win32CompatibilityAppraiser - href: win32compatibilityappraiser-csp.md - items: - - name: Win32CompatibilityAppraiser DDF file - href: win32compatibilityappraiser-ddf.md - - name: WindowsAdvancedThreatProtection - href: windowsadvancedthreatprotection-csp.md - items: - - name: WindowsAdvancedThreatProtection DDF file - href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutopilot - href: windowsautopilot-csp.md - items: - - name: WindowsAutopilot DDF file - href: windowsautopilot-ddf-file.md - - name: WindowsDefenderApplicationGuard - href: windowsdefenderapplicationguard-csp.md - items: - - name: WindowsDefenderApplicationGuard DDF file - href: windowsdefenderapplicationguard-ddf-file.md - - name: WindowsLicensing - href: windowslicensing-csp.md - items: - - name: WindowsLicensing DDF file - href: windowslicensing-ddf-file.md - - name: WiredNetwork - href: wirednetwork-csp.md - items: - - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md + - name: ActiveSync DDF file + href: activesync-ddf-file.md + - name: AllJoynManagement + href: alljoynmanagement-csp.md + items: + - name: AllJoynManagement DDF + href: alljoynmanagement-ddf.md + - name: APPLICATION + href: application-csp.md + - name: ApplicationControl + href: applicationcontrol-csp.md + items: + - name: ApplicationControl DDF file + href: applicationcontrol-csp-ddf.md + - name: AppLocker + href: applocker-csp.md + items: + - name: AppLocker DDF file + href: applocker-ddf-file.md + - name: AppLocker XSD + href: applocker-xsd.md + - name: AssignedAccess + href: assignedaccess-csp.md + items: + - name: AssignedAccess DDF file + href: assignedaccess-ddf.md + - name: BitLocker + href: bitlocker-csp.md + items: + - name: BitLocker DDF file + href: bitlocker-ddf-file.md + - name: CellularSettings + href: cellularsettings-csp.md + - name: CertificateStore + href: certificatestore-csp.md + items: + - name: CertificateStore DDF file + href: certificatestore-ddf-file.md + - name: CleanPC + href: cleanpc-csp.md + items: + - name: CleanPC DDF + href: cleanpc-ddf.md + - name: ClientCertificateInstall + href: clientcertificateinstall-csp.md + items: + - name: ClientCertificateInstall DDF file + href: clientcertificateinstall-ddf-file.md + - name: CM_CellularEntries + href: cm-cellularentries-csp.md + - name: CMPolicy + href: cmpolicy-csp.md + - name: CMPolicyEnterprise + href: cmpolicyenterprise-csp.md + items: + - name: CMPolicyEnterprise DDF file + href: cmpolicyenterprise-ddf-file.md + - name: CustomDeviceUI + href: customdeviceui-csp.md + items: + - name: CustomDeviceUI DDF file + href: customdeviceui-ddf.md + - name: Defender + href: defender-csp.md + items: + - name: Defender DDF file + href: defender-ddf.md + - name: DevDetail + href: devdetail-csp.md + items: + - name: DevDetail DDF file + href: devdetail-ddf-file.md + - name: DeveloperSetup + href: developersetup-csp.md + items: + - name: DeveloperSetup DDF + href: developersetup-ddf.md + - name: DeviceLock + href: devicelock-csp.md + items: + - name: DeviceLock DDF file + href: devicelock-ddf-file.md + - name: DeviceManageability + href: devicemanageability-csp.md + items: + - name: DeviceManageability DDF + href: devicemanageability-ddf.md + - name: DeviceStatus + href: devicestatus-csp.md + items: + - name: DeviceStatus DDF + href: devicestatus-ddf.md + - name: DevInfo + href: devinfo-csp.md + items: + - name: DevInfo DDF file + href: devinfo-ddf-file.md + - name: DiagnosticLog + href: diagnosticlog-csp.md + items: + - name: DiagnosticLog DDF file + href: diagnosticlog-ddf.md + - name: DMAcc + href: dmacc-csp.md + items: + - name: DMAcc DDF file + href: dmacc-ddf-file.md + - name: DMClient + href: dmclient-csp.md + items: + - name: DMClient DDF file + href: dmclient-ddf-file.md + - name: DMSessionActions + href: dmsessionactions-csp.md + items: + - name: DMSessionActions DDF file + href: dmsessionactions-ddf.md + - name: DynamicManagement + href: dynamicmanagement-csp.md + items: + - name: DynamicManagement DDF file + href: dynamicmanagement-ddf.md + - name: EMAIL2 + href: email2-csp.md + items: + - name: EMAIL2 DDF file + href: email2-ddf-file.md + - name: EnrollmentStatusTracking + href: enrollmentstatustracking-csp.md + items: + - name: EnrollmentStatusTracking DDF file + href: enrollmentstatustracking-csp-ddf.md + - name: EnterpriseAPN + href: enterpriseapn-csp.md + items: + - name: EnterpriseAPN DDF + href: enterpriseapn-ddf.md + - name: EnterpriseAppVManagement + href: enterpriseappvmanagement-csp.md + items: + - name: EnterpriseAppVManagement DDF file + href: enterpriseappvmanagement-ddf.md + - name: EnterpriseDataProtection + href: enterprisedataprotection-csp.md + items: + - name: EnterpriseDataProtection DDF file + href: enterprisedataprotection-ddf-file.md + - name: EnterpriseDesktopAppManagement + href: enterprisedesktopappmanagement-csp.md + items: + - name: EnterpriseDesktopAppManagement DDF + href: enterprisedesktopappmanagement-ddf-file.md + - name: EnterpriseDesktopAppManagement XSD + href: enterprisedesktopappmanagement2-xsd.md + - name: EnterpriseModernAppManagement + href: enterprisemodernappmanagement-csp.md + items: + - name: EnterpriseModernAppManagement DDF + href: enterprisemodernappmanagement-ddf.md + - name: EnterpriseModernAppManagement XSD + href: enterprisemodernappmanagement-xsd.md + - name: eUICCs + href: euiccs-csp.md + items: + - name: eUICCs DDF file + href: euiccs-ddf-file.md + - name: Firewall + href: firewall-csp.md + items: + - name: Firewall DDF file + href: firewall-ddf-file.md + - name: HealthAttestation + href: healthattestation-csp.md + items: + - name: HealthAttestation DDF + href: healthattestation-ddf.md + - name: Local Administrator Password Solution + href: laps-csp.md + items: + - name: Local Administrator Password Solution DDF + href: laps-ddf-file.md + - name: MultiSIM + href: multisim-csp.md + items: + - name: MultiSIM DDF file + href: multisim-ddf.md + - name: NAP + href: nap-csp.md + - name: NAPDEF + href: napdef-csp.md + - name: NetworkProxy + href: networkproxy-csp.md + items: + - name: NetworkProxy DDF file + href: networkproxy-ddf.md + - name: NetworkQoSPolicy + href: networkqospolicy-csp.md + items: + - name: NetworkQoSPolicy DDF file + href: networkqospolicy-ddf.md + - name: NodeCache + href: nodecache-csp.md + items: + - name: NodeCache DDF file + href: nodecache-ddf-file.md + - name: Office + href: office-csp.md + items: + - name: Office DDF + href: office-ddf.md + - name: PassportForWork + href: passportforwork-csp.md + items: + - name: PassportForWork DDF file + href: passportforwork-ddf.md + - name: PersonalDataEncryption + href: personaldataencryption-csp.md + items: + - name: PersonalDataEncryption DDF file + href: personaldataencryption-ddf-file.md + - name: Personalization + href: personalization-csp.md + items: + - name: Personalization DDF file + href: personalization-ddf.md + - name: Provisioning + href: provisioning-csp.md + - name: PXLOGICAL + href: pxlogical-csp.md + - name: Reboot + href: reboot-csp.md + items: + - name: Reboot DDF file + href: reboot-ddf-file.md + - name: RemoteFind + href: remotefind-csp.md + items: + - name: RemoteFind DDF file + href: remotefind-ddf-file.md + - name: RemoteWipe + href: remotewipe-csp.md + items: + - name: RemoteWipe DDF file + href: remotewipe-ddf-file.md + - name: Reporting + href: reporting-csp.md + items: + - name: Reporting DDF file + href: reporting-ddf-file.md + - name: RootCATrustedCertificates + href: rootcacertificates-csp.md + items: + - name: RootCATrustedCertificates DDF file + href: rootcacertificates-ddf-file.md + - name: SecureAssessment + href: secureassessment-csp.md + items: + - name: SecureAssessment DDF file + href: secureassessment-ddf-file.md + - name: SecurityPolicy + href: securitypolicy-csp.md + - name: SharedPC + href: sharedpc-csp.md + items: + - name: SharedPC DDF file + href: sharedpc-ddf-file.md + - name: Storage + href: storage-csp.md + items: + - name: Storage DDF file + href: storage-ddf-file.md + - name: SUPL + href: supl-csp.md + items: + - name: SUPL DDF file + href: supl-ddf-file.md + - name: SurfaceHub + href: surfacehub-csp.md + items: + - name: SurfaceHub DDF file + href: surfacehub-ddf-file.md + - name: TenantLockdown + href: tenantlockdown-csp.md + items: + - name: TenantLockdown DDF file + href: tenantlockdown-ddf.md + - name: TPMPolicy + href: tpmpolicy-csp.md + items: + - name: TPMPolicy DDF file + href: tpmpolicy-ddf-file.md + - name: UEFI + href: uefi-csp.md + items: + - name: UEFI DDF file + href: uefi-ddf.md + - name: UnifiedWriteFilter + href: unifiedwritefilter-csp.md + items: + - name: UnifiedWriteFilter DDF file + href: unifiedwritefilter-ddf.md + - name: UniversalPrint + href: universalprint-csp.md + items: + - name: UniversalPrint DDF file + href: universalprint-ddf-file.md + - name: Update + href: update-csp.md + items: + - name: Update DDF file + href: update-ddf-file.md + - name: VPN + href: vpn-csp.md + items: + - name: VPN DDF file + href: vpn-ddf-file.md + - name: VPNv2 + href: vpnv2-csp.md + items: + - name: VPNv2 DDF file + href: vpnv2-ddf-file.md + - name: ProfileXML XSD + href: vpnv2-profile-xsd.md + - name: EAP configuration + href: eap-configuration.md + - name: w4 APPLICATION + href: w4-application-csp.md + - name: w7 APPLICATION + href: w7-application-csp.md + - name: WiFi + href: wifi-csp.md + items: + - name: WiFi DDF file + href: wifi-ddf-file.md + - name: Win32AppInventory + href: win32appinventory-csp.md + items: + - name: Win32AppInventory DDF file + href: win32appinventory-ddf-file.md + - name: Win32CompatibilityAppraiser + href: win32compatibilityappraiser-csp.md + items: + - name: Win32CompatibilityAppraiser DDF file + href: win32compatibilityappraiser-ddf.md + - name: WindowsAdvancedThreatProtection + href: windowsadvancedthreatprotection-csp.md + items: + - name: WindowsAdvancedThreatProtection DDF file + href: windowsadvancedthreatprotection-ddf.md + - name: WindowsAutopilot + href: windowsautopilot-csp.md + items: + - name: WindowsAutopilot DDF file + href: windowsautopilot-ddf-file.md + - name: WindowsDefenderApplicationGuard + href: windowsdefenderapplicationguard-csp.md + items: + - name: WindowsDefenderApplicationGuard DDF file + href: windowsdefenderapplicationguard-ddf-file.md + - name: WindowsLicensing + href: windowslicensing-csp.md + items: + - name: WindowsLicensing DDF file + href: windowslicensing-ddf-file.md + - name: WiredNetwork + href: wirednetwork-csp.md + items: + - name: WiredNetwork DDF file + href: wirednetwork-ddf-file.md diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index be1a9d7a92..fe0ebfbafc 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -6,12 +6,9 @@ summary: Find out how to apply custom configurations to Windows 10 and Windows 1 metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice ms.topic: landing-page # Required + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index a732f8301a..85b109b135 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -221,7 +221,11 @@ - name: UCClientUpdateStatus href: update/wufb-reports-schema-ucclientupdatestatus.md - name: UCDeviceAlert - href: update/wufb-reports-schema-ucdevicealert.md + href: update/wufb-reports-schema-ucdevicealert.md + - name: UCDOAggregatedStatus + href: update/wufb-reports-schema-ucdoaggregatedstatus.md + - name: UCDOStatus + href: update/wufb-reports-schema-ucdostatus.md - name: UCServiceUpdateStatus href: update/wufb-reports-schema-ucserviceupdatestatus.md - name: UCUpdateAlert diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md index bdcc134152..674bd00551 100644 --- a/windows/deployment/Windows-AutoPilot-EULA-note.md +++ b/windows/deployment/Windows-AutoPilot-EULA-note.md @@ -3,7 +3,7 @@ title: Windows Autopilot EULA dismissal – important information description: A notice about EULA dismissal through Windows Autopilot ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 author: frankroj ms.author: frankroj manager: aaroncz @@ -13,8 +13,8 @@ ms.technology: itpro-deploy --- # Windows Autopilot EULA dismissal – important information ->[!IMPORTANT] ->The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience). +> [!IMPORTANT] +> The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience). Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen. diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index ac883e80a0..1d67fee4df 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -9,72 +9,83 @@ ms.reviewer: manager: aaroncz ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Add Microsoft Store for Business applications to a Windows 10 image -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. Adding Microsoft Store for Business applications to a Windows 10 image will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps. ->[!IMPORTANT] ->In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. +> [!IMPORTANT] +> In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. ## Prerequisites -* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. +- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. -* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app). -* A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md). +- Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app). +- A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md). ->[!NOTE] +> [!NOTE] > If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)**. ## Adding a Store application to your image On a machine where your image file is accessible: + 1. Open Windows PowerShell with administrator privileges. -2. Mount the image. At the Windows PowerShell prompt, type: + +2. Mount the image. At the Windows PowerShell prompt, enter: `Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test` -3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type: + +3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, enter: `Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml` ->[!NOTE] ->Paths and file names are examples. Use your paths and file names where appropriate. +> [!NOTE] +> Paths and file names are examples. Use your paths and file names where appropriate. > ->Do not dismount the image, as you will return to it later. +> Do not dismount the image, as you will return to it later. ## Editing the Start Layout In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. On a test machine: + 1. **Install the Microsoft Store for Business application you previously added** to your image. + 2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**. + 3. Open Windows PowerShell with administrator privileges. + 4. Use `Export-StartLayout -path .xml` where *\\* is the path and name of the xml file your will later import into your Windows Image. + 5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image. Now, on the machine where your image file is accessible: -1. Import the Start layout. At the Windows PowerShell prompt, type: + +1. Import the Start layout. At the Windows PowerShell prompt, enter: `Import-StartLayout -LayoutPath ".xml" -MountPath "C:\test\"` -2. Save changes and dismount the image. At the Windows PowerShell prompt, type: + +2. Save changes and dismount the image. At the Windows PowerShell prompt, enter: `Dismount-WindowsImage -Path c:\test -Save` ->[!NOTE] ->Paths and file names are examples. Use your paths and file names where appropriate. +> [!NOTE] +> Paths and file names are examples. Use your paths and file names where appropriate. > ->For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization) +> For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization) ## Related articles -* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) -* [Export-StartLayout](/powershell/module/startlayout/export-startlayout) -* [Import-StartLayout](/powershell/module/startlayout/import-startlayout) -* [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10) -* [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -* [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) + +- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) +- [Export-StartLayout](/powershell/module/startlayout/export-startlayout) +- [Import-StartLayout](/powershell/module/startlayout/import-startlayout) +- [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10) +- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 0ee1248e7e..3dbdf7eef2 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -8,15 +8,15 @@ manager: aaroncz ms.author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Configure a PXE server to load Windows PE -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network. @@ -37,107 +37,122 @@ All four of the roles specified above can be hosted on the same computer or each 3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory doesn't already exist, it will be created. - ``` + ```cmd copype.cmd ``` For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory: - ``` + ```cmd copype.cmd amd64 C:\winpe_amd64 ``` The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created: - - ``` + + ```cmd C:\winpe_amd64 C:\winpe_amd64\fwfiles C:\winpe_amd64\media C:\winpe_amd64\mount ``` + 4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example. + ```cmd + dism.exe /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount ``` - Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount - ``` - Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**. + + Verify that the message **The operation completed successfully** is displayed. + + > [!NOTE] + > To view currently mounted images, enter **`dism.exe /get-MountedWiminfo`**. 5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**: - ``` - net use y: \\PXE-1\TFTPRoot + ```cmd + net.exe use y: \\PXE-1\TFTPRoot y: md Boot ``` + 6. Copy the PXE boot files from the mounted directory to the \boot folder. For example: - ``` + ```cmd copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\Boot ``` -7. Copy the boot.sdi file to the PXE/TFTP server. - ``` +7. Copy the boot.sdi file to the PXE/TFTP server. + + ```cmd copy C:\winpe_amd64\media\boot\boot.sdi y:\Boot ``` -8. Copy the bootable Windows PE image (boot.wim) to the \boot folder. - ``` +8. Copy the bootable Windows PE image (boot.wim) to the \boot folder. + + ```cmd copy C:\winpe_amd64\media\sources\boot.wim y:\Boot ``` -9. (Optional) Copy true type fonts to the \boot folder - ``` +9. (Optional) Copy TrueType fonts to the \boot folder + + ```cmd copy C:\winpe_amd64\media\Boot\Fonts y:\Boot\Fonts ``` ## Step 2: Configure boot settings and copy the BCD file -1. Create a BCD store using bcdedit.exe: +1. Create a BCD store using bcdedit.exe: + ```cmd + bcdedit.exe /createstore c:\BCD ``` - bcdedit /createstore c:\BCD - ``` -2. Configure RAMDISK settings: +2. Configure RAMDISK settings: + + ```cmd + bcdedit.exe /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" + bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot + bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi + bcdedit.exe /store c:\BCD /create /d "winpe boot image" /application osloader ``` - bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" - bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot - bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi - bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader - ``` + The last command will return a GUID, for example: - ``` + + ```console The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. ``` + Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID. -3. Create a new boot application entry for the Windows PE image: +3. Create a new boot application entry for the Windows PE image: + ```cmd + bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} + bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe + bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} + bcdedit.exe /store c:\BCD /set {GUID1} systemroot \windows + bcdedit.exe /store c:\BCD /set {GUID1} detecthal Yes + bcdedit.exe /store c:\BCD /set {GUID1} winpe Yes ``` - bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} - bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe - bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} - bcdedit /store c:\BCD /set {GUID1} systemroot \windows - bcdedit /store c:\BCD /set {GUID1} detecthal Yes - bcdedit /store c:\BCD /set {GUID1} winpe Yes - ``` -4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID): - ``` - bcdedit /store c:\BCD /create {bootmgr} /d "boot manager" - bcdedit /store c:\BCD /set {bootmgr} timeout 30 - bcdedit /store c:\BCD -displayorder {GUID1} -addlast - ``` -5. Copy the BCD file to your TFTP server: +4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID): + ```cmd + bcdedit.exe /store c:\BCD /create {bootmgr} /d "boot manager" + bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30 + bcdedit.exe /store c:\BCD -displayorder {GUID1} -addlast ``` + +5. Copy the BCD file to your TFTP server: + + ```cmd copy c:\BCD \\PXE-1\TFTPRoot\Boot\BCD ``` -Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. +Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit.exe /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. -``` -C:\>bcdedit /store C:\BCD /enum all +```cmd +C:\>bcdedit.exe /store C:\BCD /enum all Windows Boot Manager -------------------- identifier {bootmgr} @@ -163,25 +178,46 @@ ramdisksdidevice boot ramdisksdipath \Boot\boot.sdi ``` ->[!TIP] ->If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. +> [!TIP] +> If you start the PXE boot process, but receive the error **The boot configuration data for your PC is missing or contains error**, then verify that `\boot` directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. ## PXE boot process summary The following process summarizes the PXE client boot. ->The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)). + + +> [!NOTE] +> The following assumes that the client and PXE server are on the same network/subnet/vlan or that PXE requests have been appropriately forwarded from the client to the PXE server using IP helpers configured in the router or switch. For more information about IP helpers, see [Configuring Your Router to Forward Broadcasts](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)#configuring-your-router-to-forward-broadcasts-recommended). + +1. A client contacts the PXE server. When the client is on a different network/subnet/vlan as the PXE server, the client is routed to the PXE server using the IP helpers. + +2. The PXE server sends DHCP options 060 (client identifier **PXEClient**), 066 (boot server host name) and 067 (boot file name) to the client. + +3. The client downloads `boot\PXEboot.n12` from the TFTP server based on DHCP option 067 boot file name value received from the PXE server. + +4. `PXEboot.n12` immediately begins a network boot. + +5. The client downloads `boot\bootmgr.exe` and the `boot\BCD` file from the TFTP server. + + > [!NOTE] + > The BCD store must reside in the `\boot` directory on the TFTP server and must be named BCD. + +6. `Bootmgr.exe` reads the BCD operating system entries and downloads `boot\boot.sdi` and the Windows PE image (`boot\boot.wim`). Optional files that can also be downloaded include TrueType fonts (`boot\Fonts\wgl4_boot.ttf`) and the hibernation state file (`\hiberfil.sys`) if these files are present. + +7. `Bootmgr.exe` starts Windows PE by calling `winload.exe` within the Windows PE image. + +8. Windows PE loads, a command prompt opens and `wpeinit.exe` is run to initialize Windows PE. + +9. The Windows PE client provides access to tools like `imagex.exe`, `diskpart.exe`, and `bcdboot.exe` using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system. + +### Related articles [Windows PE Walkthroughs](/previous-versions/windows/it-pro/windows-vista/cc748899(v=ws.10)) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index b3dd2899ed..f19a79ea47 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -12,7 +12,7 @@ ms.collection: highpri appliesto: - ✅ Windows 10 - ✅ Windows 11 -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Deploy Windows Enterprise licenses @@ -252,7 +252,7 @@ Use the following procedures to review whether a particular device meets these r To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt: -```PowerShell +```powershell (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey ``` diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index f7574e0d11..ace17b1b9f 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -10,15 +10,15 @@ author: frankroj ms.topic: article ms.collection: M365-modern-desktop ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Deploy Windows 10 with Microsoft 365 -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365. @@ -34,38 +34,40 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor ## Free trial account -**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center** +### If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services. In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles. There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles. -**If you do not already have a Microsoft services subscription** +### If you do not already have a Microsoft services subscription -You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. +You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. ->[!NOTE] ->If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. +> [!NOTE] +> If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. 1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365). 2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide). -3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview). +3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview). Examples of these two deployment advisors are shown below. - [Deploy Windows 10 with Microsoft 365](#deploy-windows-10-with-microsoft-365) - [Free trial account](#free-trial-account) + - [If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center](#if-you-already-have-a-microsoft-services-subscription-account-and-access-to-the-microsoft-365-admin-center) + - [If you do not already have a Microsoft services subscription](#if-you-do-not-already-have-a-microsoft-services-subscription) - [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example) - [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example) - [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) - [Related articles](#related-articles) ## Microsoft 365 deployment advisor example + ![Microsoft 365 deployment advisor.](images/m365da.png) ## Windows Analytics deployment advisor example - ## Microsoft 365 Enterprise poster [![Microsoft 365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 170984a53f..309fe14ba0 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -9,13 +9,14 @@ author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # What's new in Windows client deployment -**Applies to:** +*Applies to:* + - Windows 10 - Windows 11 @@ -30,13 +31,14 @@ When you deploy Windows 11 with Autopilot, you can enable users to view addition ## Windows 11 Check out the following new articles about Windows 11: + - [Overview of Windows 11](/windows/whats-new/windows-11) - [Plan for Windows 11](/windows/whats-new/windows-11-plan) - [Prepare for Windows 11](/windows/whats-new/windows-11-prepare) The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
-## Deployment tools +## Deployment tools [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
@@ -51,6 +53,7 @@ The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deploym ## Microsoft 365 Microsoft 365 is a new offering from Microsoft that combines + - Windows 10 - Office 365 - Enterprise Mobility and Security (EMS). @@ -68,6 +71,7 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved: - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting. Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include: + - Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. - Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content. @@ -84,6 +88,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers ### Windows Update for Business [Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include: + - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds. diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md index c267cbdf68..80c99d9d57 100644 --- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md @@ -9,43 +9,49 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Assign applications using roles in MDT This article will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this article, the application we're adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together. -## Create and assign a role entry in the database +## Create and assign a role entry in the database -1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**. -2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings: - 1. Role name: Standard PC - 2. Applications / Lite Touch Applications: - 3. Install - Adobe Reader XI - x86 +1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**. + +2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings: + + 1. Role name: Standard PC + 2. Applications / Lite Touch Applications: + 3. Install - Adobe Reader XI - x86 ![figure 12.](../images/mdt-09-fig12.png) Figure 12. The Standard PC role with the application added -## Associate the role with a computer in the database +## Associate the role with a computer in the database After creating the role, you can associate it with one or more computer entries. -1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**. -2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting: - - Roles: Standard PC + +1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**. + +2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting: + - Roles: Standard PC ![figure 13.](../images/mdt-09-fig13.png) Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database). -## Verify database access in the MDT simulation environment +## Verify database access in the MDT simulation environment When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications aren't installed, but you can see which applications would be installed if you did a full deployment of the computer. -1. On PC0001, log on as **CONTOSO\\MDT\_BA**. -2. Modify the C:\\MDT\\CustomSettings.ini file to look like below: - ``` +1. On PC0001, log on as **CONTOSO\\MDT\_BA**. + +2. Modify the C:\\MDT\\CustomSettings.ini file to look like below: + + ```ini [Settings] Priority=CSettings, CRoles, RApplications, Default [Default] @@ -108,9 +114,9 @@ When the database is populated, you can use the MDT simulation environment to si Order=Sequence ``` -3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: +3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - ``` powershell + ```powershell Set-Location C:\MDT .\Gather.ps1 @@ -122,10 +128,10 @@ Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -
[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -
[Use web services in MDT](use-web-services-in-mdt.md) -
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) \ No newline at end of file +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 1e3e971ecc..043e8f7ab8 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -10,17 +10,18 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Build a distributed environment for Windows 10 deployment -**Applies to** -- Windows 10 +**Applies to:** + +- Windows 10 Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. -Four computers are used in this article: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. +Four computers are used in this article: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). @@ -28,7 +29,8 @@ For the purposes of this article, we assume that MDT02 is prepared with the same Computers used in this article. ->HV01 is also used in this topic to host the PC0006 virtual machine. +> [!NOTE] +> HV01 is also used in this topic to host the PC0006 virtual machine. ## Replicate deployment shares @@ -36,7 +38,7 @@ Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be do > [!NOTE] > Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. - + ### Linked deployment shares in MDT LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option. @@ -55,9 +57,9 @@ On **MDT01**: 1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt: -```powershell -Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools -``` + ```powershell + Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools + ``` 2. Wait for installation to complete, and then verify that the installation was successful. See the following output: @@ -75,9 +77,9 @@ On **MDT02**: 1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt: -```powershell -Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools -``` + ```powershell + Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools + ``` 2. Wait for installation to complete, and then verify that the installation was successful. See the following output: @@ -95,10 +97,10 @@ On **MDT02**: 1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt: - ```powershell - mkdir d:\MDTProduction - New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction" - ``` + ```powershell + mkdir d:\MDTProduction + New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction" + ``` 2. You should see the following output: @@ -112,11 +114,11 @@ On **MDT02**: ### Configure the deployment share -When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the DefaultGateway property. +When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the **DefaultGateway** property. On **MDT01**: -1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. +1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the `Boostrap.ini` file as follows. Under `[DefaultGateway]` enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. ```ini [Settings] @@ -138,130 +140,167 @@ On **MDT01**: UserPassword=pass@word1 SkipBDDWelcome=YES ``` - >[!NOTE] - >The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). - -2. Save the Bootstrap.ini file. + + > [!NOTE] + > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). + +2. Save the `Bootstrap.ini` file. + 3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes. + 4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**. + 5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings. ![figure 5.](../images/mdt-10-fig05.png) Replacing the updated boot image in WDS. - >[!TIP] - >If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. + > [!TIP] + > If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. - ## Replicate the content +## Replicate the content - Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication. +Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication. - ### Create the replication group +### Create the replication group -6. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**. -7. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**. -8. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**. -9. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**. +1. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**. + +2. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**. + +3. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**. + +4. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**. ![figure 6.](../images/mdt-10-fig06.png) Adding the Replication Group Members. -10. On the **Topology Selection** page, select the **Full mesh** option and select **Next**. -11. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**. -12. On the **Primary Member** page, select **MDT01** and select **Next**. -13. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**. -14. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**. -15. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**. -16. On the **Review Settings and Create Replication Group** page, select **Create**. -17. On the **Confirmation** page, select **Close**. +5. On the **Topology Selection** page, select the **Full mesh** option and select **Next**. - ### Configure replicated folders +6. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**. + +7. On the **Primary Member** page, select **MDT01** and select **Next**. + +8. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**. + +9. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**. + +10. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**. + +11. On the **Review Settings and Create Replication Group** page, select **Create**. + +12. On the **Confirmation** page, select **Close**. + +### Configure replicated folders + +1. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**. + +2. In the middle pane, right-click the **MDT01** member and select **Properties**. + +3. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**: + + 1. In the **Staging** tab, set the quota to **20480 MB**. + + 2. In the **Advanced** tab, set the quota to **8192 MB**. -18. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**. -19. In the middle pane, right-click the **MDT01** member and select **Properties**. -20. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**: - 1. In the **Staging** tab, set the quota to **20480 MB**. - 2. In the **Advanced** tab, set the quota to **8192 MB**. In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share: - - ``` powershell + + ```powershell (Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB ``` -21. In the middle pane, right-click the **MDT02** member and select **Properties**. -22. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**: - 1. In the **Staging** tab, set the quota to **20480 MB**. - 2. In the **Advanced** tab, set the quota to **8192 MB**. +4. In the middle pane, right-click the **MDT02** member and select **Properties**. + +5. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**: + 1. In the **Staging** tab, set the quota to **20480 MB**. + + 2. In the **Advanced** tab, set the quota to **8192 MB**. > [!NOTE] > It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. -23. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt: +6. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt: -```cmd -C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary -MemName IsPrimary -MDT01 Yes -MDT02 No -``` + ```cmd + C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary + MemName IsPrimary + MDT01 Yes + MDT02 No + ``` ### Verify replication On **MDT02**: 1. Wait until you start to see content appear in the **D:\\MDTProduction** folder. + 2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**. + 3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and select **Next**. + 4. On the **Path and Name** page, accept the default settings and select **Next**. + 5. On the **Members to Include** page, accept the default settings and select **Next**. + 6. On the **Options** page, accept the default settings and select **Next**. + 7. On the **Review Settings and Create Report** page, select **Create**. + 8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option. -![figure 9.](../images/mdt-10-fig09.png) + ![figure 9.](../images/mdt-10-fig09.png) + The DFS Replication Health Report. -The DFS Replication Health Report. - ->If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. + > [!NOTE] + > If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. ## Configure Windows Deployment Services (WDS) in a remote site Like you did in the previous article for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02. + 1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**. + 2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. ## Deploy a Windows 10 client to the remote site -Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure. +Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure. ->For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the Boostrap.ini file. +> [!NOTE] +> For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the `Boostrap.ini` file. -1. Create a virtual machine with the following settings: - 1. Name: PC0006 - 2. Location: C:\\VMs - 3. Generation: 2 - 4. Memory: 2048 MB - 5. Hard disk: 60 GB (dynamic disk) +1. Create a virtual machine with the following settings: + + 1. **Name**: PC0006 + 2. **Location**: C:\\VMs + 3. **Generation**: 2 + 4. **Memory**: 2048 MB + 5. **Hard disk**: 60 GB (dynamic disk) 6. Install an operating system from a network-based installation server -2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server. -3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - 2. Computer Name: PC0006 - 3. Applications: Select the Install - Adobe Reader -4. Setup will now start and perform the following steps: - 1. Install the Windows 10 Enterprise operating system. - 2. Install applications. - 3. Update the operating system using your local Windows Server Update Services (WSUS) server. + +2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server. + +3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: + + 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + 2. Computer Name: PC0006 + 3. Applications: Select the Install - Adobe Reader + +4. Setup will now start and perform the following steps: + + 1. Install the Windows 10 Enterprise operating system. + 2. Install applications. + 3. Update the operating system using your local Windows Server Update Services (WSUS) server. ![pc0001.](../images/pc0006.png) ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md) \ No newline at end of file +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 6c254caad5..eb84fdcd77 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -9,23 +9,24 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Configure MDT deployment share rules In this article, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. -## Assign settings +## Assign settings When using MDT, you can assign setting in three distinct ways: -- You can pre-stage the information before deployment. -- You can prompt the user or technician for information. -- You can have MDT generate the settings automatically. + +- You can pre-stage the information before deployment. +- You can prompt the user or technician for information. +- You can have MDT generate the settings automatically. In order to illustrate these three options, let's look at some sample configurations. -## Sample configurations +## Sample configurations Before adding the more advanced components like scripts, databases, and web services, consider the commonly used configurations below; they demonstrate the power of the rules engine. @@ -33,7 +34,7 @@ Before adding the more advanced components like scripts, databases, and web serv If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. When you have many machines, it makes sense to use the database instead. -``` +```ini [Settings] Priority=MacAddress, Default [Default] @@ -48,7 +49,7 @@ In the preceding sample, you set the PC00075 computer name for a machine with a Another way to assign a computer name is to identify the machine via its serial number. -``` +```ini [Settings] Priority=SerialNumber, Default [Default] @@ -63,7 +64,7 @@ In this sample, you set the PC00075 computer name for a machine with a serial nu You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly. -``` +```ini [Settings] Priority=Default [Default] @@ -72,15 +73,15 @@ OSDComputerName=PC-%SerialNumber% ``` In this sample, you configure the rules to set the computer name to a prefix (PC-) and then the serial number. If the serial number of the machine is CND0370RJ7, the preceding configuration sets the computer name to PC-CND0370RJ7. -**Note** -Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters. - +> [!NOTE] +> Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters. + ### Generate a limited computer name based on a serial number To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows: -``` +```ini [Settings] Priority=Default [Default] @@ -94,7 +95,7 @@ In the preceding sample, you still configure the rules to set the computer name In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read. -``` +```ini [Settings] Priority=ByLaptopType, Default [Default] @@ -107,16 +108,10 @@ MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md index 0ef50cfcd2..19adc65b02 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Configure MDT for UserExit scripts @@ -20,7 +20,7 @@ In this article, you'll learn how to configure the MDT rules engine to use a Use You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder). -``` +```ini [Settings] Priority=Default [Default] @@ -35,7 +35,7 @@ The UserExit=Setname.vbs calls the script and then assigns the computer name to The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address. -``` +```vb Function UserExit(sType, sWhen, sDetail, bSkip) UserExit = Success End Function @@ -48,23 +48,18 @@ Function SetName(sMac) SetName = "PC" & re.Replace(sMac, "") End Function ``` + The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value. ->[!NOTE] ->The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process. - +> [!NOTE] +> The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process. + ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index 6270caa911..cfb17a3eee 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Configure MDT settings @@ -24,20 +24,20 @@ The computers used in this article. ## In this section -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 864d74b4d8..b26c222f91 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -9,31 +9,33 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Create a Windows 10 reference image -**Applies to** +**Applies to:** + - Windows 10 Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this article, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this article, you 'll have a Windows 10 reference image that can be used in your deployment solution. ->[!NOTE] ->For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +> [!NOTE] +> For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). For the purposes of this article, we'll use three computers: DC01, MDT01, and HV01. - - DC01 is a domain controller for the contoso.com domain. - - MDT01 is a contoso.com domain member server. - - HV01 is a Hyper-V server that will be used to build the reference image. - - ![devices.](../images/mdt-08-fig01.png) +- DC01 is a domain controller for the contoso.com domain. +- MDT01 is a contoso.com domain member server. +- HV01 is a Hyper-V server that will be used to build the reference image. + + ![devices.](../images/mdt-08-fig01.png) Computers used in this article. ## The reference image The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are: + - To reduce development time and can use snapshots to test different configurations quickly. - To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related. - To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. @@ -47,24 +49,30 @@ With Windows 10, there's no hard requirement to create reference images. However On **MDT01**: -- Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article). -- Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access. -- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. -- Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **D:\\MDTBuildLab** - - Share name: **MDTBuildLab$** - - Deployment share description: **MDT Build Lab** -- Accept the default selections on the Options page and select **Next**. -- Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**. -- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share. +1. Sign in as **contoso\\administrator** using a password of **pass@word1** (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article). + +2. Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access. + +3. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. + +4. Use the following settings for the New Deployment Share Wizard: + + - Deployment share path: **D:\\MDTBuildLab** + - Share name: **MDTBuildLab$** + - Deployment share description: **MDT Build Lab** + +5. Accept the default selections on the Options page and select **Next**. + +6. Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**. + +7. Verify that you can access the **\\\\MDT01\\MDTBuildLab$** share. ![figure 2.](../images/mdt-08-fig02.png) - The Deployment Workbench with the MDT Build Lab deployment share. ### Enable monitoring -To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, select **Properties**, select the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. +To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, select **Properties**, select the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. ### Configure permissions for the deployment share @@ -72,10 +80,11 @@ In order to read files in the deployment share and write the reference image bac On **MDT01**: -1. Ensure you're signed in as **contoso\\administrator**. -2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: +1. Ensure you're signed in as **contoso\\administrator**. - ``` powershell +2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: + + ```powershell icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force ``` @@ -88,9 +97,9 @@ This section will show you how to populate the MDT deployment share with the Win MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft. ->[!NOTE] ->Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. - +> [!NOTE] +> Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. + ### Add Windows 10 Enterprise x64 (full source) On **MDT01**: @@ -100,16 +109,21 @@ On **MDT01**: ![ISO.](../images/iso-data.png) 2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**. + 3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. + 4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files - Source directory: (location of your source files) - - Destination directory name: W10EX64RTM -5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example. + - Destination directory name: **W10EX64RTM** + +5. After adding the operating system, in the **Operating Systems** > **Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example. ![Default image.](../images/deployment-workbench01.png) ->Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work. +> [!NOTE] +> Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work. ## Add applications @@ -120,18 +134,22 @@ On **MDT01**: First, create an MDT folder to store the Microsoft applications that will be installed: 1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications** + 2. Right-click **Applications** and then select **New Folder**. + 3. Under **Folder name**, type **Microsoft**. + 4. Select **Next** twice, and then select **Finish**. -The steps in this section use a strict naming standard for your MDT applications. -- Use the "Install - " prefix for typical application installations that run a setup installer of some kind, -- Use the "Configure - " prefix when an application configures a setting in the operating system. -- You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures). - -Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. +The steps in this section use a strict naming standard for your MDT applications. -By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. +- Use the **Install -** prefix for typical application installations that run a setup installer of some kind. +- Use the **Configure -** prefix when an application configures a setting in the operating system. +- You also add an **- x86**, **- x64**, or **- x86-x64** suffix to indicate the application's architecture (some applications have installers for both architectures). + +Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. + +By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. In example sections, you 'll add the following applications: @@ -142,28 +160,30 @@ In example sections, you 'll add the following applications: >The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261) Download links: + - [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117) - [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe) - [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe) -Download all three items in this list to the D:\\Downloads folder on MDT01. +Download all three items in this list to the D:\\Downloads folder on MDT01. ->[!NOTE] ->For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). +> [!NOTE] +> For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). + +> [!NOTE] +> All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. ->[!NOTE] ->All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. - ### Create configuration file: Microsoft Office 365 Professional Plus x64 -1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted. +1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted. + 2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. For example, you can use the following configuration.xml file, which provides these configuration settings: - - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. + - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. > [!NOTE] - > 64-bit is now the default and recommended edition. - - Use the General Availability Channel and get updates directly from the Office CDN on the internet. + > 64-bit is now the default and recommended edition. + - Use the General Availability Channel and get updates directly from the Office CDN on the internet. - Perform a silent installation. You won't see anything that shows the progress of the installation and you won't see any error messages. ```xml @@ -180,25 +200,28 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. When you use these settings, anytime you build the reference image you'll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. - >[!TIP] - >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. - - For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). + > [!TIP] + > You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. + + For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). 3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder: ![folder.](../images/office-folder.png) - Assuming you've named the file "configuration.xml" as shown above, we'll use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet. +Assuming you've named the file `configuration.xml` as shown above, we'll use the command **`setup.exe /configure configuration.xml`** when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet. - >[!IMPORTANT] - >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. +> [!IMPORTANT] +> After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. Additional information + - Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you're using). That means that once you've deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. -- **Note**: With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user's device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won't have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) - - When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you'll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you'll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. + > [!NOTE] + > With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user's device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won't have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) + +- When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you'll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you'll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. ### Connect to the deployment share using Windows PowerShell @@ -206,15 +229,16 @@ If you need to add many applications, you can take advantage of the PowerShell s On **MDT01**: -1. Ensure you're signed in as **contoso\\Administrator**. -2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: +1. Ensure you're signed in as **contoso\\Administrator**. +2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: - ``` powershell + ```powershell Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1" New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "D:\MDTBuildLab" ``` ->[!TIP] ->Use "Get-Command -module MicrosoftDeploymentToolkit" to see a list of available cmdlets + +> [!TIP] +> Use `Get-Command -module MicrosoftDeploymentToolkit` to see a list of available cmdlets ### Create the install: Microsoft Office 365 Pro Plus - x64 @@ -222,10 +246,11 @@ In these steps, we assume that you've downloaded the Office Deployment Tool. You On **MDT01**: -1. Ensure you're signed on as **contoso\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: +1. Ensure you're signed on as **contoso\\Administrator**. - ``` powershell +2. Create the application by running the following commands in an elevated PowerShell prompt: + + ```powershell $ApplicationName = "Install - Office365 ProPlus - x64" $CommandLine = "setup.exe /configure configuration.xml" $ApplicationSourcePath = "D:\Downloads\Office365" @@ -233,7 +258,8 @@ On **MDT01**: ``` Upon successful installation, the following text is displayed: - ``` + + ```output VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import VERBOSE: Copying application source files from D:\Downloads\Office365 to D:\MDTBuildLab\Applications\Install - @@ -248,17 +274,18 @@ On **MDT01**: ### Create the install: Microsoft Visual C++ Redistributable 2019 - x86 ->[!NOTE] ->We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. +> [!NOTE] +> We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you're signed on as **contoso\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: +1. Ensure you're signed on as **contoso\\Administrator**. - ``` powershell +2. Create the application by running the following commands in an elevated PowerShell prompt: + + ```powershell $ApplicationName = "Install - MSVC 2019 - x86" $CommandLine = "vc_redist.x86.exe /Q" $ApplicationSourcePath = "D:\Downloads" @@ -266,7 +293,8 @@ On **MDT01**: ``` Upon successful installation, the following text is displayed: - ``` + + ```output VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import VERBOSE: Copying application source files from D:\Downloads to D:\MDTBuildLab\Applications\Install - MSVC 2019 - x86 @@ -284,10 +312,11 @@ In these steps, we assume that you've downloaded Microsoft Visual C++ Redistribu On **MDT01**: -1. Ensure you're signed on as **contoso\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: +1. Ensure you're signed on as **contoso\\Administrator**. - ``` powershell +2. Create the application by running the following commands in an elevated PowerShell prompt: + + ```powershell $ApplicationName = "Install - MSVC 2019 - x64" $CommandLine = "vc_redist.x64.exe /Q" $ApplicationSourcePath = "D:\Downloads" @@ -310,17 +339,19 @@ To create a Windows 10 reference image task sequence, the process is as follows: On **MDT01**: 1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. + 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: REFW10X64-001 - 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image - 3. Task sequence comments: Reference Build - 4. Template: Standard Client Task Sequence - 5. Select OS: Windows 10 Enterprise x64 RTM Default Image - 6. Specify Product Key: Don't specify a product key at this time - 7. Full Name: Contoso - 8. Organization: Contoso - 9. Internet Explorer home page: http://www.contoso.com - 10. Admin Password: Don't specify an Administrator Password at this time + + 1. **Task sequence ID**: REFW10X64-001 + 2. **Task sequence name**: Windows 10 Enterprise x64 RTM Default Image + 3. **Task sequence comments**: Reference Build + 4. **Template**: Standard Client Task Sequence + 5. **Select OS**: Windows 10 Enterprise x64 RTM Default Image + 6. **Specify Product Key**: Don't specify a product key at this time + 7. **Full Name**: Contoso + 8. **Organization**: Contoso + 9. **Internet Explorer home page**: `http://www.contoso.com` + 10. **Admin Password**: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -329,81 +360,99 @@ The steps below walk you through the process of editing the Windows 10 reference On **MDT01**: 1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**. + 2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings: - 1. **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box. - - 2. **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action. - 3. **State Restore**: After the **Tattoo** action, add a new **Group** action (select **Add** then select **New Group**) with the following setting: - - Name: **Custom Tasks (Pre-Windows Update)** - 4. **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**. - - **Note**: The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. - 5. **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings: - 1. Name: Install - Microsoft NET Framework 3.5.1 - 2. Select the operating system for which roles are to be installed: Windows 10 - 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) - - >[!IMPORTANT] - >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. - + - **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box. + + - **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action. + + - **State Restore**: After the **Tattoo** action, add a new **Group** action (select **Add** then select **New Group**) with the following setting: + - Name: **Custom Tasks (Pre-Windows Update)** + + - **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**. + > [!NOTE] + > The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. + + - **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings: + + - **Name**: Install - Microsoft NET Framework 3.5.1 + + - **Select the operating system for which roles are to be installed**: Windows 10 + + - **Select the roles and features that should be installed**: .NET Framework 3.5 (includes .NET 2.0 and 3.0) + + > [!IMPORTANT] + > This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. + ![task sequence.](../images/fig8-cust-tasks.png) The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action. - 6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings: - 1. Name: Microsoft Visual C++ Redistributable 2019 - x86 - 2. Install a Single Application: browse to **Install - MSVC 2019 - x86** - 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well. + - **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings: + + - **Name**: Microsoft Visual C++ Redistributable 2019 - x86 + + - **Install a Single Application**: browse to **Install - MSVC 2019 - x86** + + - Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well. + 3. Select **OK**. - ![apps.](../images/mdt-apps.png) - + ![apps.](../images/mdt-apps.png) ### Optional configuration: Add a suspend action The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you select the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. ![figure 8.](../images/fig8-suspend.png) - A task sequence with optional Suspend action (LTISuspend.wsf) added. ![figure 9.](../images/fig9-resumetaskseq.png) - The Windows 10 desktop with the Resume Task Sequence shortcut. ### Edit the Unattend.xml file for Windows 10 Enterprise When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK). ->[!WARNING] ->Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. +> [!WARNING] +> Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. + +> [!NOTE] +> You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing. ->[!NOTE] ->You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing. - Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: On **MDT01**: 1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. + 2. In the **OS Info** tab, select **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. - > [!IMPORTANT] - > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: - > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. - > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). - > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). - > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. + > [!IMPORTANT] + > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error **Could not load file or assembly** in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: + > + > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. + > + > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). + > + > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). + > + > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. 3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry. + 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - - DisableDevTools: true + + - **DisableDevTools**: true + 5. Save the Unattend.xml file, and close Windows SIM. + > [!NOTE] > If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. + 6. On the Windows 10 Enterprise x64 RTM Default Image Properties, select **OK**. ![figure 10.](../images/fig10-unattend.png) - Windows System Image Manager with the Windows 10 Unattend.xml. ## Configure the MDT deployment share rules @@ -412,16 +461,17 @@ Understanding rules is critical to successfully using MDT. Rules are configured ### MDT deployment share rules overview -In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you select OK. +In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you select OK. To configure the rules for the MDT Build Lab deployment share: On **MDT01**: -1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. -2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: +1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. - ``` +2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: + + ```ini [Settings] Priority=Default @@ -456,12 +506,11 @@ On **MDT01**: ``` ![figure 11.](../images/mdt-rules.png) - The server-side rules for the MDT Build Lab deployment share. - -3. Select **Edit Bootstrap.ini** and modify using the following information: - ``` +3. Select **Edit Bootstrap.ini** and modify using the following information: + + ```ini [Settings] Priority=Default @@ -474,32 +523,38 @@ On **MDT01**: SkipBDDWelcome=YES ``` - >[!NOTE] - >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. - + > [!NOTE] + > For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. + 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. + 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: - 1. Image description: MDT Build Lab x86 - 2. ISO file name: MDT Build Lab x86.iso + + - **Image description**: MDT Build Lab x86 + - **ISO file name**: MDT Build Lab x86.iso + 6. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. + 7. In the **Lite Touch Boot Image Settings** area, configure the following settings: - 1. Image description: MDT Build Lab x64 - 2. ISO file name: MDT Build Lab x64.iso + + - **Image description**: MDT Build Lab x64 + - **ISO file name**: MDT Build Lab x64.iso + 8. Select **OK**. ->[!NOTE] ->In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface). - +> [!NOTE] +> In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface). + ### Update the deployment share After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created. -1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. -2. Use the default options for the Update Deployment Share Wizard. +1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. +2. Use the default options for the Update Deployment Share Wizard. + +> [!NOTE] +> The update process will take 5 to 10 minutes. ->[!NOTE] ->The update process will take 5 to 10 minutes. - ### The rules explained Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. @@ -508,14 +563,14 @@ The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media). ->[!NOTE] ->The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section. - +> [!NOTE] +> The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section. + ### The Bootstrap.ini file The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the D:\\MDTBuildLab\\Control folder on MDT01. -``` +```ini [Settings] Priority=Default [Default] @@ -527,23 +582,26 @@ SkipBDDWelcome=YES ``` So, what are these settings? -- **Priority.** This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. -- **DeployRoot.** This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. -- **UserDomain, UserID, and UserPassword.** These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you. - >[!WARNING] - >Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. - -- **SkipBDDWelcome.** Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. +- **Priority**: This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. + +- **DeployRoot**: This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. + +- **UserDomain, UserID, and UserPassword**: These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you. + + > [!WARNING] + > Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. + +- **SkipBDDWelcome**: Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. + +> [!NOTE] +> All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. ->[!NOTE] ->All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. - ### The CustomSettings.ini file The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration. -``` +```ini [Settings] Priority=Default [Default] @@ -575,82 +633,114 @@ SkipRoles=YES SkipCapture=NO SkipFinalSummary=YES ``` -- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. -- **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment. -- **UserDataLocation.** Controls the settings for user state backup. You don't need to use when building and capturing a reference image. -- **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. -- **OSInstall.** Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed. -- **AdminPassword.** Sets the local Administrator account password. -- **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). - >[!NOTE] - >The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. - -- **JoinWorkgroup.** Configures Windows to join a workgroup. -- **HideShell.** Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. -- **FinishAction.** Instructs MDT what to do when the task sequence is complete. -- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image. -- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. -- **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. -- **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). -- **SkipAdminPassword.** Skips the pane that asks for the Administrator password. -- **SkipProductKey.** Skips the pane that asks for the product key. -- **SkipComputerName.** Skips the Computer Name pane. -- **SkipDomainMemberShip.** Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties. -- **SkipUserData.** Skips the pane for user state migration. -- **SkipLocaleSelection.** Skips the pane for selecting language and keyboard settings. -- **SkipTimeZone.** Skips the pane for setting the time zone. -- **SkipApplications.** Skips the Applications pane. -- **SkipBitLocker.** Skips the BitLocker pane. -- **SkipSummary.** Skips the initial Windows Deployment Wizard summary pane. -- **SkipRoles.** Skips the Install Roles and Features pane. -- **SkipCapture.** Skips the Capture pane. -- **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to select OK before the machine shuts down. +- **Priority**: Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. + +- **\_SMSTSORGNAME**: The organization name displayed in the task sequence progress bar window during deployment. + +- **UserDataLocation**: Controls the settings for user state backup. You don't need to use when building and capturing a reference image. + +- **DoCapture**: Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. + +- **OSInstall**: Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed. + +- **AdminPassword**: Sets the local Administrator account password. + +- **TimeZoneName**: Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). + + > [!NOTE] + > The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. + +- **JoinWorkgroup**: Configures Windows to join a workgroup. + +- **HideShell**: Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. + +- **FinishAction**: Instructs MDT what to do when the task sequence is complete. + +- **DoNotCreateExtraPartition**: Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image. + +- **WSUSServer**: Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. + +- **SLSHARE**: Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. + +- **ApplyGPOPack**: Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). + +- **SkipAdminPassword**: Skips the pane that asks for the Administrator password. + +- **SkipProductKey**: Skips the pane that asks for the product key. + +- **SkipComputerName**: Skips the Computer Name pane. + +- **SkipDomainMemberShip**: Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties. + +- **SkipUserData**: Skips the pane for user state migration. + +- **SkipLocaleSelection**: Skips the pane for selecting language and keyboard settings. + +- **SkipTimeZone**: Skips the pane for setting the time zone. + +- **SkipApplications**: Skips the Applications pane. + +- **SkipBitLocker**: Skips the BitLocker pane. + +- **SkipSummary**: Skips the initial Windows Deployment Wizard summary pane. + +- **SkipRoles**: Skips the Install Roles and Features pane. + +- **SkipCapture**: Skips the Capture pane. + +- **SkipFinalSummary**: Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to select OK before the machine shuts down. ## Build the Windows 10 reference image As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements). -Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. +Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. 1. Copy D:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on your Hyper-V host (HV01). - >[!NOTE] - >Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image. + > [!NOTE] + > Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image. On **HV01**: - -2. Create a new virtual machine with the following settings: + +1. Create a new virtual machine with the following settings: + 1. Name: REFW10X64-001 2. Store the virtual machine in a different location: C:\VM 3. Generation 1 4. Memory: 1024 MB 5. Network: Must be able to connect to \\MDT01\MDTBuildLab$ - 7. Hard disk: 60 GB (dynamic disk) - 8. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso -1. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**. + 6. Hard disk: 60 GB (dynamic disk) + 7. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso - >[!NOTE] - >Checkpoints are useful if you need to restart the process and want to make sure you can start clean. - -4. Start the REFW10X64-001 virtual machine and connect to it. +2. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**. - >[!NOTE] - >Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. + > [!NOTE] + > Checkpoints are useful if you need to restart the process and want to make sure you can start clean. + +3. Start the REFW10X64-001 virtual machine and connect to it. + + > [!NOTE] + > Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image - 2. Specify whether to capture an image: Capture an image of this reference computer - - Location: \\\\MDT01\\MDTBuildLab$\\Captures - 3. File name: REFW10X64-001.wim + + - **Select a task sequence to execute on this computer**: Windows 10 Enterprise x64 RTM Default Image + + - **Specify whether to capture an image**: Capture an image of this reference computer + + - Location: \\\\MDT01\\MDTBuildLab$\\Captures + + - **File name**: REFW10X64-001.wim ![capture image.](../images/captureimage.png) - The Windows Deployment Wizard for the Windows 10 reference image. -5. The setup now starts and does the following steps: +4. The setup now starts and does the following steps: + 1. Installs the Windows 10 Enterprise operating system. 2. Installs the added applications, roles, and features. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. @@ -666,21 +756,21 @@ After some time, you 'll have a Windows 10 Enterprise x64 image that is fully pa ## Troubleshooting > [!IMPORTANT] -> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This +> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence. ![monitoring.](../images/mdt-monitoring.png) -If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. +If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md) +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index a4990f1916..f92a6f30dc 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -11,31 +11,32 @@ ms.topic: article ms.technology: itpro-deploy ms.collection: - highpri -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Deploy a Windows 10 image using MDT -**Applies to** -- Windows 10 +**Applies to:** -This article will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +- Windows 10 + +This article will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. -For the purposes of this article, we'll use four computers: DC01, MDT01, HV01 and PC0005. +For the purposes of this article, we'll use four computers: DC01, MDT01, HV01 and PC0005. -- DC01 is a domain controller -- MDT01 is a domain member server -- HV01 is a Hyper-V server +- DC01 is a domain controller +- MDT01 is a domain member server +- HV01 is a Hyper-V server - PC0005 is a blank device to which we'll deploy Windows 10 -MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. +MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. ![devices.](../images/mdt-07-fig01.png) ->[!NOTE] ->For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +> [!NOTE] +> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ## Step 1: Configure Active Directory permissions @@ -43,7 +44,7 @@ These steps will show you how to configure an Active Directory account with the On **DC01**: -1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit. +1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit. 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**: @@ -85,7 +86,9 @@ On **MDT01**: The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: 1. Ensure you're signed on as: contoso\administrator. + 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**. 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**. @@ -93,6 +96,7 @@ The steps for creating the deployment share for production are the same as when 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**. 6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**. + 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. ### Configure permissions for the production deployment share @@ -101,11 +105,12 @@ To read files in the deployment share, you need to assign NTFS and SMB permissio On **MDT01**: -1. Ensure you're signed in as **contoso\\administrator**. -2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: +1. Ensure you're signed in as **contoso\\administrator**. - ``` powershell - icacls "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' +2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: + + ```powershell + icacls.exe "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force ``` @@ -117,21 +122,22 @@ The next step is to add a reference image into the deployment share with the set In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) article, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. -1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. -2. Right-click the **Windows 10** folder and select **Import Operating System**. +1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. -3. On the **OS Type** page, select **Custom image file** and select **Next**. +2. Right-click the **Windows 10** folder and select **Import Operating System**. -4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and select **Next**. +3. On the **OS Type** page, select **Custom image file** and select **Next**. -5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and select **Next**. +4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and select **Next**. -6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, select **Next** twice, and then select **Finish**. -7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. +5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and select **Next**. ->[!NOTE] ->The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. - +6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, select **Next** twice, and then select **Finish**. + +7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. + +> [!NOTE] +> The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. ![imported OS.](../images/fig2-importedos.png) @@ -144,8 +150,11 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: 1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320282_en_US.exe) to **D:\\setup\\adobe** on MDT01. + 2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320282_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). + 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. + 4. Right-click the **Applications** node, and create a new folder named **Adobe**. 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. @@ -161,22 +170,22 @@ On **MDT01**: 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, select **Next** twice, and then select **Finish**. ![acroread image.](../images/acroread.png) - The Adobe Reader application added to the Deployment Workbench. ## Step 5: Prepare the drivers repository In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: -- Lenovo ThinkPad T420 -- Dell Latitude 7390 -- HP EliteBook 8560w -- Microsoft Surface Pro + +- Lenovo ThinkPad T420 +- Dell Latitude 7390 +- HP EliteBook 8560w +- Microsoft Surface Pro For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers. ->[!NOTE] ->You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. - +> [!NOTE] +> You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. + ### Create the driver source structure in the file system The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. @@ -186,41 +195,50 @@ On **MDT01**: > [!IMPORTANT] > In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. -1. Using File Explorer, create the **D:\\drivers** folder. -2. In the **D:\\drivers** folder, create the following folder structure: - 1. WinPE x86 - 2. WinPE x64 - 3. Windows 10 x64 -3. In the new Windows 10 x64 folder, create the following folder structure: - - Dell Inc. - - Latitude E7450 - - Hewlett-Packard - - HP EliteBook 8560w - - Lenovo - - ThinkStation P500 (30A6003TUS) - - Microsoft Corporation - - Surface Laptop +1. Using File Explorer, create the **D:\\drivers** folder. + +2. In the **D:\\drivers** folder, create the following folder structure: + + 1. WinPE x86 + 2. WinPE x64 + 3. Windows 10 x64 + +3. In the new Windows 10 x64 folder, create the following folder structure: + + - Dell Inc. + - Latitude E7450 + - Hewlett-Packard + - HP EliteBook 8560w + - Lenovo + - ThinkStation P500 (30A6003TUS) + - Microsoft Corporation + - Surface Laptop > [!NOTE] > Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. - + ### Create the logical driver structure in MDT When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench. -1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. -2. In the **Out-Of-Box Drivers** node, create the following folder structure: - 1. WinPE x86 - 2. WinPE x64 - 3. Windows 10 x64 -3. In the **Windows 10 x64** folder, create the following folder structure: - - Dell Inc. - - Latitude E7450 - - Hewlett-Packard - - HP EliteBook 8560w - - Lenovo - - 30A6003TUS - - Microsoft Corporation - - Surface Laptop + +1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. + +2. In the **Out-Of-Box Drivers** node, create the following folder structure: + + 1. WinPE x86 + 2. WinPE x64 + 3. Windows 10 x64 + +3. In the **Windows 10 x64** folder, create the following folder structure: + + - Dell Inc. + - Latitude E7450 + - Hewlett-Packard + - HP EliteBook 8560w + - Lenovo + - 30A6003TUS + - Microsoft Corporation + - Surface Laptop The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell: @@ -230,36 +248,40 @@ Get-WmiObject -Class:Win32_ComputerSystem Or, you can use this command in a normal command prompt: -```console -wmic csproduct get name +```cmd +wmic.exe csproduct get name ``` If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](/archive/blogs/deploymentguys/using-and-extending-model-aliases-for-hardware-specific-application-installation). ![drivers.](../images/fig4-oob-drivers.png) - The Out-of-Box Drivers structure in the Deployment Workbench. ### Create the selection profiles for boot image drivers By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles. -The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice. + +The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can't locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice. On **MDT01**: -1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. -2. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: WinPE x86 - 2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers. - 3. Select **Next**, **Next** and **Finish**. -3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. -4. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: WinPE x64 - 2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers. - 3. Select **Next**, **Next** and **Finish**. +1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. + +2. In the **New Selection Profile Wizard**, create a selection profile with the following settings: + + - **Selection Profile name**: WinPE x86 + - **Folders**: Select the WinPE x86 folder in Out-of-Box Drivers. + - Select **Next**, **Next** and **Finish**. + +3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. + +4. In the New Selection Profile Wizard, create a selection profile with the following settings: + + - **Selection Profile name**: WinPE x64 + - **Folders**: Select the WinPE x64 folder in Out-of-Box Drivers. + - Select **Next**, **Next** and **Finish**. ![figure 5.](../images/fig5-selectprofile.png) - Creating the WinPE x64 selection profile. ### Extract and import drivers for the x64 boot image @@ -269,11 +291,17 @@ Windows PE supports all the hardware models that we have, but here you learn to On **MDT01**: 1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). -2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. - a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. -3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. -4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. -5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. + +2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. + + > [!NOTE] + > Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. + +3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. + +4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. + +5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. ### Download, extract, and import drivers @@ -281,8 +309,7 @@ On **MDT01**: For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. -> [!div class="mx-imgBorder"] -> ![ThinkStation image.](../images/thinkstation.png) +![ThinkStation image.](../images/thinkstation.png) To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). @@ -292,7 +319,7 @@ On **MDT01**: 1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node. -2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: +2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** @@ -308,9 +335,9 @@ On **MDT01**: 1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc.** node. -2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: +2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Dell Inc.\\Latitude E7450** + **`D:\Drivers\Windows 10 x64\Dell Inc.\Latitude E7450`** ### For the HP EliteBook 8560w @@ -320,11 +347,11 @@ In these steps, we assume you've downloaded and extracted the drivers for the HP On **MDT01**: -1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. +1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. -2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: +2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** + **`D:\Drivers\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** ### For the Microsoft Surface Laptop @@ -332,11 +359,11 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we On **MDT01**: -1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node. +1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node. -2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: +2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** + **`D:\Drivers\Windows 10 x64\Microsoft\Surface Laptop`** ## Step 6: Create the deployment task sequence @@ -349,6 +376,7 @@ On **MDT01**: 1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**. 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image - Task sequence comments: Production Image @@ -366,26 +394,27 @@ On **MDT01**: 2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: - 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: - 1. Name: Set DriverGroup001 - 2. Task Sequence Variable: DriverGroup001 - 3. Value: Windows 10 x64\\%Make%\\%Model% + 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: - 2. Configure the **Inject Drivers** action with the following settings: - - Choose a selection profile: Nothing - - Install all drivers from the selection profile + - **Name**: Set DriverGroup001 + - **Task Sequence Variable**: DriverGroup001 + - **Value**: Windows 10 x64\\%Make%\\%Model% - > [!NOTE] - > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. - - 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. + 2. Configure the **Inject Drivers** action with the following settings: - 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. + - **Choose a selection profile**: Nothing + - Install all drivers from the selection profile + + > [!NOTE] + > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. + + 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. + + 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. 3. Select **OK**. ![drivergroup.](../images/fig6-taskseq.png) - The task sequence for production deployment. ## Step 7: Configure the MDT production deployment share @@ -400,9 +429,10 @@ In this section, you'll learn how to configure the MDT Build Lab deployment shar On **MDT01**: 1. Right-click the **MDT Production** deployment share and select **Properties**. + 2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment): - ``` + ```ini [Settings] Priority=Default @@ -441,7 +471,7 @@ On **MDT01**: 3. Select **Edit Bootstrap.ini** and modify using the following information: - ``` + ```ini [Settings] Priority=Default @@ -461,11 +491,11 @@ On **MDT01**: - Image description: MDT Production x86 - ISO file name: MDT Production x86.iso - + > [!NOTE] - > + > > Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests. - + 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. 7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. @@ -483,9 +513,9 @@ On **MDT01**: 11. Select **OK**. - >[!NOTE] - >It will take a while for the Deployment Workbench to create the monitoring database and web service. - + > [!NOTE] + > It will take a while for the Deployment Workbench to create the monitoring database and web service. + ![figure 8.](../images/mdt-07-fig08.png) The Windows PE tab for the x64 boot image. @@ -494,13 +524,13 @@ On **MDT01**: The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. -You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials. +You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials. ### The Bootstrap.ini file This file is the MDT Production Bootstrap.ini: -``` +```ini [Settings] Priority=Default @@ -516,7 +546,7 @@ SkipBDDWelcome=YES This file is the CustomSettings.ini file with the new join domain information: -``` +```ini [Settings] Priority=Default @@ -555,14 +585,15 @@ EventService=http://MDT01:9800 ``` Some properties to use in the MDT Production rules file are as follows: -- **JoinDomain.** The domain to join. -- **DomainAdmin.** The account to use when joining the machine to the domain. -- **DomainAdminDomain.** The domain for the join domain account. -- **DomainAdminPassword.** The password for the join domain account. -- **MachineObjectOU.** The organizational unit (OU) to which to add the computer account. -- **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command. -- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore). -- **EventService.** Activates logging information to the MDT monitoring web service. + +- **JoinDomain.** The domain to join. +- **DomainAdmin.** The account to use when joining the machine to the domain. +- **DomainAdminDomain.** The domain for the join domain account. +- **DomainAdminPassword.** The password for the join domain account. +- **MachineObjectOU.** The organizational unit (OU) to which to add the computer account. +- **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command. +- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore). +- **EventService.** Activates logging information to the MDT monitoring web service. > [!NOTE] > For more information about localization support, see the following articles: @@ -578,7 +609,6 @@ If your organization has a Microsoft Software Assurance agreement, you also can If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps: - > [!NOTE] > DaRT 10 is part of [MDOP 2015](/microsoft-desktop-optimization-pack/#how-to-get-mdop). > @@ -592,34 +622,33 @@ On **MDT01**: ![DaRT image.](../images/dart.png) -2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. +3. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. -3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. +4. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. -4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. +5. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. -5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox. +6. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox. ![DaRT selection.](../images/mdt-07-fig09.png) - Selecting the DaRT 10 feature in the deployment share. -8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. +7. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. -9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. +8. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. -10. Select **OK**. +9. Select **OK**. ### Update the deployment share Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created. -1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. +1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. -2. Use the default options for the Update Deployment Share Wizard. +2. Use the default options for the Update Deployment Share Wizard. ->[!NOTE] ->The update process will take 5 to 10 minutes. +> [!NOTE] +> The update process will take 5 to 10 minutes. ## Step 8: Deploy the Windows 10 client image @@ -638,7 +667,6 @@ On **MDT01**: 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. ![figure 9.](../images/mdt-07-fig10.png) - The boot image added to the WDS console. ### Deploy the Windows 10 client @@ -657,19 +685,18 @@ On **HV01**: - Hard disk: 60 GB (dynamic disk) - Installation Options: Install an operating system from a network-based installation server -2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server. +2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server. ![figure 10.](../images/mdt-07-fig11.png) - The initial PXE boot process of PC0005. -3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting: +3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting: - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - Computer Name: **PC0005** - Applications: Select the **Install - Adobe Reader** checkbox. -4. Setup now begins and does the following steps: +4. Setup now begins and does the following steps: - Installs the Windows 10 Enterprise operating system. - Installs the added application. @@ -689,14 +716,13 @@ Since you've enabled the monitoring on the MDT Production deployment share, you On **MDT01**: -1. In the Deployment Workbench, expand the **MDT Production** deployment share folder. +1. In the Deployment Workbench, expand the **MDT Production** deployment share folder. -2. Select the **Monitoring** node, and wait until you see PC0005. +2. Select the **Monitoring** node, and wait until you see PC0005. -3. Double-click PC0005, and review the information. +3. Double-click PC0005, and review the information. ![figure 11.](../images/mdt-07-fig13.png) - The Monitoring node, showing the deployment progress of PC0005. ### Use information in the Event Viewer @@ -704,7 +730,6 @@ On **MDT01**: When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log. ![figure 12.](../images/mdt-07-fig14.png) - The Event Viewer showing a successful deployment of PC0005. ## Multicast deployments @@ -721,13 +746,15 @@ Setting up MDT for multicast is straightforward. You enable multicast on the dep On **MDT01**: -1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**. -2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and select **OK**. -3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**. -4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created. +1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**. + +2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and select **OK**. + +3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**. + +4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created. ![figure 13.](../images/mdt-07-fig15.png) - The newly created multicast namespace. ## Use offline media to deploy Windows 10 @@ -742,19 +769,19 @@ To filter what is being added to the media, you create a selection profile. When On **MDT01**: -1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**. +1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**. -2. Use the following settings for the New Selection Profile Wizard: +2. Use the following settings for the New Selection Profile Wizard: - - General Settings - - Selection profile name: Windows 10 Offline Media + - General Settings + - **Selection profile name**: Windows 10 Offline Media - - Folders - - Applications / Adobe - - Operating Systems / Windows 10 - - Out-Of-Box Drivers / WinPE x64 - - Out-Of-Box Drivers / Windows 10 x64 - - Task Sequences / Windows 10 + - Folders + - Applications / Adobe + - Operating Systems / Windows 10 + - Out-Of-Box Drivers / WinPE x64 + - Out-Of-Box Drivers / Windows 10 x64 + - Task Sequences / Windows 10 ![offline media.](../images/mdt-offline-media.png) @@ -762,17 +789,18 @@ On **MDT01**: In these steps, you generate offline media from the MDT Production deployment share. To filter what is being added to the media, you use the previously created selection profile. -1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. +1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. - >[!NOTE] - >When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media. - -2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. + > [!NOTE] + > When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media. -3. Use the following settings for the New Media Wizard: - - General Settings - - Media path: **D:\\MDTOfflineMedia** - - Selection profile: **Windows 10 Offline Media** +2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. + +3. Use the following settings for the New Media Wizard: + + - General Settings + - Media path: **D:\\MDTOfflineMedia** + - Selection profile: **Windows 10 Offline Media** ### Configure the offline media @@ -780,24 +808,25 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi On **MDT01**: -1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. +1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. -2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. +2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. -3. In the **General** tab, configure the following: +3. In the **General** tab, configure the following: - Clear the Generate x86 boot image check box. - ISO file name: Windows 10 Offline Media.iso -4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. +4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. -5. On the **General** sub tab, configure the following settings: - - In the **Lite Touch Boot Image Settings** area: - - Image description: MDT Production x64 - - In the **Windows PE Customizations** area, set the Scratch space size to 128. +5. On the **General** sub tab, configure the following settings: -6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. + - In the **Lite Touch Boot Image Settings** area: + - **Image description**: MDT Production x64 + - In the **Windows PE Customizations** area, set the Scratch space size to 128. -7. Select **OK**. +6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. + +7. Select **OK**. ### Generate the offline media @@ -805,30 +834,36 @@ You've now configured the offline media deployment share, however the share hasn On **MDT01**: -1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. +1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. -2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes. +2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes. ### Create a bootable USB stick The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) ->[!TIP] ->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. +> [!TIP] +> In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: +> +> **`Dism.exe /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.`** +> +> Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. +> +> To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. Follow these steps to create a bootable USB stick from the offline media content: -1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. +1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. -2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. +2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. -3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. +3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. -4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. +4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. -5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). +5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). -6. In the Diskpart utility, type **active**, and then type **exit**. +6. In the Diskpart utility, type **active**, and then type **exit**. ## Unified Extensible Firmware Interface (UEFI)-based deployments @@ -840,9 +875,9 @@ The partitions when deploying an UEFI-based machine. ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
+- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index 701f10efc1..73c2d4b629 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -11,19 +11,20 @@ ms.topic: article ms.technology: itpro-deploy ms.collection: - highpri -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Get started with MDT -**Applies to** +**Applies to:** + - Windows 10 This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ## About MDT -MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. +MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. @@ -37,39 +38,58 @@ MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windo MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment. MDT has many useful features, such as: -- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10. -- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. -- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry. -- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. -- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI. -- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. + +- **Windows Client support**: Supports Windows 7, Windows 8.1, and Windows 10. + +- **Windows Server support**: Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. + +- **Additional operating systems support**: Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry. + +- **UEFI support**: Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. + +- **GPT support**: Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI. + +- **Enhanced Windows PowerShell support**: Provides support for running PowerShell scripts. ![figure 2.](../images/mdt-05-fig02.png) - The deployment share mounted as a standard PSDrive allows for administration using PowerShell. -- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. -- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). -- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. -- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. -- **Improved deployment wizard.** Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard. -- **Monitoring.** Allows you to see the status of currently running deployments. -- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). -- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. -- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. -- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. +- **Add local administrator accounts**: Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. + +- **Automated participation in CEIP and WER**: Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). + +- **Deploy Windows RE**: Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. + +- **Deploy to VHD**: Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. + +- **Improved deployment wizard**: Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard. + +- **Monitoring**: Allows you to see the status of currently running deployments. + +- **Apply GPO Pack**: Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). + +- **Partitioning routines**: Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. + +- **Offline BitLocker**: Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. + +- **USMT offline user-state migration**: Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. ![figure 3.](../images/mdt-05-fig03.png) - The offline USMT backup in action. -- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. -- **Microsoft System Center Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence. -- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image. -- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office. -- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. -- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). +- **Install or uninstall Windows roles or features**: Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. + +- **Microsoft System Center Orchestrator integration**: Provides the capability to use Orchestrator runbooks as part of the task sequence. + +- **Support for DaRT**: Supports optional integration of the DaRT components into the boot image. + +- **Support for Microsoft Office**: Provides added support for deploying Microsoft Office. + +- **Support for Modern UI app package provisioning**: Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. + +- **Extensibility**: Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. + +- **Upgrade task sequence**: Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). ## MDT Lite Touch components @@ -88,6 +108,7 @@ A deployment share is essentially a folder on the server that is shared and cont ## Rules The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: + - Computer name - Domain to join, and organizational unit (OU) in Active Directory to hold the computer object - Whether to enable BitLocker @@ -95,13 +116,11 @@ The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The r You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](/mem/configmgr/mdt/). ![figure 5.](../images/mdt-05-fig05.png) - Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number ## Boot images -Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment -share on the server and start the deployment. +Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment share on the server and start the deployment. ## Operating systems @@ -124,33 +143,44 @@ With the Deployment Workbench, you can add any Microsoft packages that you want Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows: -- **Gather.** Reads configuration settings from the deployment server. -- **Format and Partition.** Creates the partition(s) and formats them. -- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository. -- **Apply Operating System.** Uses ImageX to apply the image. -- **Windows Update.** Connects to a WSUS server and updates the machine. + +- **Gather**: Reads configuration settings from the deployment server. +- **Format and Partition**: Creates the partition(s) and formats them. +- **Inject Drivers**: Finds out which drivers the machine needs and downloads them from the central driver repository. +- **Apply Operating System**: Applies the Windows image. +- **Windows Update**: Connects to a WSUS server and updates the machine. ## Task sequence templates MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence. -- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. + +- **Sysprep and Capture task sequence**: Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. > [!NOTE] > It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't. - -- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. -- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. -- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). -- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers. -- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. -- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments. -- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. -- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. -- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. + +- **Standard Client task sequence**: The most frequently used task sequence. Used for creating reference images and for deploying clients in production. + +- **Standard Client Replace task sequence**: Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. + +- **Custom task sequence**: As the name implies, a custom task sequence with only one default action (one Install Application action). + +- **Standard Server task sequence**: The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers. + +- **Lite Touch OEM task sequence**: Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. + +- **Post OS Installation task sequence**: A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments. + +- **Deploy to VHD Client task sequence**: Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. + +- **Deploy to VHD Server task sequence**: Same as the Deploy to VHD Client task sequence but for servers. + +- **Standard Client Upgrade task sequence**: A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. ## Selection profiles Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: + - Control which drivers and packages are injected into the Lite Touch (and generic) boot images. - Control which drivers are injected during the task sequence. - Control what is included in any media that you create. @@ -161,8 +191,8 @@ Selection profiles, which are available in the Advanced Configuration node, prov MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. -**Note** -The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). +> [!NOTE] +> The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). ## Monitoring @@ -170,4 +200,4 @@ On the deployment share, you also can enable monitoring. After you enable monito ## See next -[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) +- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 874e591992..e5eb7ae010 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -11,13 +11,14 @@ ms.topic: article ms.technology: itpro-deploy ms.collection: - highpri -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Prepare for deployment with MDT -**Applies to** -- Windows 10 +**Applies to:** + +- Windows 10 This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory. @@ -28,25 +29,34 @@ The procedures in this guide use the following names and infrastructure. ### Network and servers For the purposes of this article, we'll use three server computers: **DC01**, **MDT01**, and **HV01**. -- All servers are running Windows Server 2019. - - You can use an earlier version of Windows Server with minor modifications to some procedures. - - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is required to perform the procedures in this guide. -- **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation. + +- All servers are running Windows Server 2019. + + - You can use an earlier version of Windows Server with minor modifications to some procedures. + +- **DC01** is a domain controller, DHCP server, and DNS server for **contoso.com**, representing the fictitious Contoso Corporation. + - **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200 GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server. - - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. + + - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. + - **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image. - - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01. + - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01. ### Client computers Several client computers are referenced in this guide with hostnames of PC0001 to PC0007. - **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. + - Client name: PC0001 - IP Address: DHCP + - **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios. + - Client name: PC0002 - IP Address: DHCP + - **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively. ### Storage requirements @@ -59,15 +69,15 @@ If you don't have access to a Hyper-V server, you can install Hyper-V on a Windo ### Network requirements -All server and client computers referenced in this guide are on the same subnet. This isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ### Domain credentials The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials. -**Active Directory domain name**: contoso.com
-**Domain administrator username**: administrator
-**Domain administrator password**: pass@word1 +- **Active Directory domain name**: contoso.com +- **Domain administrator username**: administrator +- **Domain administrator password**: pass@word1 ### Organizational unit structure @@ -82,33 +92,39 @@ These steps assume that you have the MDT01 member server running and configured On **MDT01**: Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you'll need to create this folder): + - [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) - [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112) - [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334) - (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe) - - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you don't need this patch. + - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you don't need this patch. ->[!TIP] ->You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). +> [!TIP] +> You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). 1. On **MDT01**, ensure that you're signed in as an administrator in the CONTOSO domain. - - For the purposes of this guide, we're using a Domain Admin account of **administrator** with a password of pass@word1. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials. + + - For the purposes of this guide, we're using a Domain Admin account of **administrator** with a password of **pass@word1**. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials. + 2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step. + 3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page select **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step. + 4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file. - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later. -5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch. + +5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch. ## Install and initialize Windows Deployment Services (WDS) On **MDT01**: 1. Open an elevated Windows PowerShell prompt and enter the following command: - + ```powershell Install-WindowsFeature -Name WDS -IncludeManagementTools - WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All + WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall" + WDSUTIL.exe /Set-Server /AnswerClients:All ``` ## Optional: Install Windows Server Update Services (WSUS) @@ -117,26 +133,32 @@ If you wish to use MDT as a WSUS server using the Windows Internal Database (WID To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt: - ```powershell - Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI - cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS - ``` +```powershell +Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI +"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS +``` ->To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01. +> [!NOTE] +> To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the necessary post-installation configuration of WSUS on MDT01. ## Install MDT ->[!NOTE] ->MDT installation requires the following: ->- The Windows ADK for Windows 10 (installed in the previous procedure) ->- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) ->- Microsoft .NET Framework +> [!NOTE] +> MDT installation requires the following: +> +> - The Windows ADK for Windows 10 (installed in the previous procedure) +> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; enter `$host` to check) +> - Microsoft .NET Framework On **MDT01**: -1. Visit the [MDT resource page](/mem/configmgr/mdt/) and select **Download MDT**. -2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01. - - **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work. +1. Visit the [MDT resource page](/mem/configmgr/mdt/) and select **Download MDT**. + +2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01. + + > [!NOTE] + > As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work. + 3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings. ## Create the OU structure @@ -186,20 +208,27 @@ To use the Active Directory Users and Computers console (instead of PowerShell): On **DC01**: -1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**. -2. In the **Contoso** OU, create the following OUs: - 1. Accounts - 2. Computers - 3. Groups -3. In the **Contoso / Accounts** OU, create the following underlying OUs: - 1. Admins - 2. Service Accounts - 3. Users -4. In the **Contoso / Computers** OU, create the following underlying OUs: - 1. Servers - 2. Workstations -5. In the **Contoso / Groups** OU, create the following OU: - 1. Security Groups +1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**. + +2. In the **Contoso** OU, create the following OUs: + + - Accounts + - Computers + - Groups + +3. In the **Contoso / Accounts** OU, create the following underlying OUs: + + - Admins + - Service Accounts + - Users + +4. In the **Contoso / Computers** OU, create the following underlying OUs: + + - Servers + - Workstations + +5. In the **Contoso / Groups** OU, create the following OU: + - Security Groups The final result of either method is shown below. The **MDT_BA** account will be created next. @@ -212,6 +241,7 @@ To create an MDT build account, open an elevated Windows PowerShell prompt on DC ```powershell New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true ``` + If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above. ## Create and share the logs folder @@ -220,8 +250,9 @@ By default MDT stores the log files locally on the client. In order to capture a On **MDT01**: -1. Sign in as **CONTOSO\\administrator**. -2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: +1. Sign in as **CONTOSO\\administrator**. + +2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: ```powershell New-Item -Path D:\Logs -ItemType directory @@ -235,7 +266,7 @@ See the following example: ## Use CMTrace to read log files (optional) -The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool. +The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool. You can use Notepad (example below): ![figure 8.](../images/mdt-05-fig09.png) @@ -252,8 +283,9 @@ When you've completed all the steps in this section to prepare for deployment, s ## Appendix -**Sample files** +### Sample files The following sample files are also available to help automate some MDT deployment tasks. This guide doesn't use these files, but they're made available here so you can see how some tasks can be automated with Windows PowerShell. + - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. - [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index 13c28f34bf..b38d0d58a8 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -9,17 +9,19 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Refresh a Windows 7 computer with Windows 10 -**Applies to** -- Windows 10 +**Applies to:** + +- Windows 10 This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/). -For the purposes of this article, we'll use three computers: DC01, MDT01, and PC0001. +For the purposes of this article, we'll use three computers: DC01, MDT01, and PC0001. + - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. - PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1. @@ -27,7 +29,6 @@ For the purposes of this article, we'll use three computers: DC01, MDT01, and PC Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more information on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ![computers.](../images/mdt-04-fig01.png "Computers used in this topic") - The computers used in this article. ## The computer refresh process @@ -36,26 +37,26 @@ A computer refresh isn't the same as an in-place upgrade because a computer refr For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh, you will: -1. Back up data and settings locally, in a backup folder. -2. Wipe the partition, except for the backup folder. -3. Apply the new operating system image. -4. Install other applications. -5. Restore data and settings. +1. Back up data and settings locally, in a backup folder. +2. Wipe the partition, except for the backup folder. +3. Apply the new operating system image. +4. Install other applications. +5. Restore data and settings. During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are linked in the file system, which allows for fast migration, even when there's many files. ->[!NOTE] ->In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. - +> [!NOTE] +> In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. + ### Multi-user migration By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT). -For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\* +For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: `ScanStateArgs=/ue:*\* /ui:CONTOSO\*` + +> [!NOTE] +> You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. ->[!NOTE] ->You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. - ### Support for additional settings In addition to the command-line switches that control which profiles to migrate, [XML templates](../usmt/understanding-migration-xml-files.md) control exactly what data is being migrated. You can control data within and outside the user profiles. @@ -72,45 +73,50 @@ In this section, we assume that you've already performed the prerequisite proced - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -It's also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we'll be refreshing a Windows 7 SP1 PC to Windows 10, version 1909. - +It's also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we'll be refreshing a Windows 7 SP1 PC to Windows 10, version 1909. + ### Upgrade (refresh) a Windows 7 SP1 client ->[!IMPORTANT] ->Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. +> [!IMPORTANT] +> Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in **Contoso** > **Computers** > **Workstations**. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. + +1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. -1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. 2. Complete the deployment guide using the following settings: - - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - * Computer name: <default> - * Specify where to save a complete computer backup: Don't back up the existing computer - >[!NOTE] - >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. - * Select one or more applications to install: Install - Adobe Reader + + - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + + - **Computer name**: *\* + + - **Specify where to save a complete computer backup**: Don't back up the existing computer + + > [!NOTE] + > Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. + + - **Select one or more applications to install**: Install - Adobe Reader ![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh") -4. Setup starts and performs the following actions: - - * Backs up user settings and data using USMT. - * Installs the Windows 10 Enterprise x64 operating system. - * Installs any added applications. - * Updates the operating system using your local Windows Server Update Services (WSUS) server. - * Restores user settings and data using USMT. +3. Setup starts and performs the following actions: -5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example: + - Backs up user settings and data using USMT. + - Installs the Windows 10 Enterprise x64 operating system. + - Installs any added applications. + - Updates the operating system using your local Windows Server Update Services (WSUS) server. + - Restores user settings and data using USMT. + +4. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example: ![monitor deployment.](../images/monitor-pc0001.png) -6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated. +5. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated. ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md) +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index 8476e0e4ed..b240a4f426 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -10,26 +10,27 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Replace a Windows 7 computer with a Windows 10 computer -**Applies to** -- Windows 10 +**Applies to:** -A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. +- Windows 10 + +A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. + +For the purposes of this article, we'll use four computers: DC01, MDT01, PC0002, and PC0007. -For the purposes of this article, we'll use four computers: DC01, MDT01, PC0002, and PC0007. - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. -- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. +- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. - PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain. For more details on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ![The computers used in this topic.](../images/mdt-03-fig01.png) - The computers used in this article. >HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer. @@ -43,7 +44,9 @@ The computers used in this article. On **MDT01**: 1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, select **Properties**, and then select the **Rules** tab. + 2. Change the **SkipUserData=YES** option to **NO**, and select **OK**. + 3. Right-click on **MDT Production** and select **Update Deployment Share**. Then select **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings. ### Create and share the MigData folder @@ -51,23 +54,25 @@ On **MDT01**: On **MDT01**: 1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt: - ``` powershell + + ```powershell New-Item -Path D:\MigData -ItemType directory New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)' ``` - ### Create a backup only (replace) task sequence -2. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**. +### Create a backup only (replace) task sequence -3. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: +1. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**. - * Task sequence ID: REPLACE-001 - * Task sequence name: Backup Only Task Sequence - * Task sequence comments: Run USMT to back up user data and settings - * Template: Standard Client Replace Task Sequence +2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: -4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions. + - Task sequence ID: REPLACE-001 + - Task sequence name: Backup Only Task Sequence + - Task sequence comments: Run USMT to back up user data and settings + - Template: Standard Client Replace Task Sequence + +3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions. ![The Backup Only Task Sequence action list.](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list") @@ -77,36 +82,39 @@ On **MDT01**: During a computer replace, the following are the high-level steps that occur: -1. On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup. -2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored. +1. On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup. + +2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored. ### Run the replace task sequence On **PC0002**: -1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share. -2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**. -3. Complete the Windows Deployment Wizard using the following settings: +1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share. - 1. Select a task sequence to execute on this computer: Backup Only Task Sequence - * Specify where to save your data and settings: Specify a location - * Location: \\\\MDT01\\MigData$\\PC0002 - - >[!NOTE] - >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. - - 2. Specify where to save a complete computer backup: Don't back up the existing computer +2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**. + +3. Complete the **Windows Deployment Wizard** using the following settings: + + - **Select a task sequence to execute on this computer**: Backup Only Task Sequence + + - **Specify where to save your data and settings**: Specify a location + + - **Location**: \\\\MDT01\\MigData$\\PC0002 + + > [!NOTE] + > If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. + + - **Specify where to save a complete computer backup**: Don't back up the existing computer The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer. ![The new task sequence.](../images/mdt-03-fig03.png "The new task sequence") - The new task sequence running the Capture User State action on PC0002. -4. On **MDT01**, verify that you have a USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder. +4. On **MDT01**, verify that you have a USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder. ![The USMT backup.](../images/mdt-03-fig04.png "The USMT backup") - The USMT backup of PC0002. ### Deploy the replacement computer @@ -115,37 +123,37 @@ To demonstrate deployment of the replacement computer, HV01 is used to host a vi On **HV01**: -1. Create a virtual machine with the following settings: +1. Create a virtual machine with the following settings: - * Name: PC0007 - * Location: C:\\VMs - * Generation: 2 - * Memory: 2048 MB - * Hard disk: 60 GB (dynamic disk) - * Install an operating system from a network-based installation server + - **Name**: PC0007 + - **Location**: C:\\VMs + - **Generation**: 2 + - **Memory**: 2048 MB + - **Hard disk**: 60 GB (dynamic disk) + - Install an operating system from a network-based installation server -2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site). +2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site). ![The initial PXE boot process.](../images/mdt-03-fig05.png "The initial PXE boot process") The initial PXE boot process of PC0007. -3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: +3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - * Select a task sequence to execute on this computer: - * Windows 10 Enterprise x64 RTM Custom Image - * Computer Name: PC0007 - * Move Data and Settings: Don't move user data and settings. - * User Data (Restore) > Specify a location: \\\\MDT01\\MigData$\\PC0002 - * Applications: Adobe > Install - Adobe Reader + - Select a task sequence to execute on this computer: + - Windows 10 Enterprise x64 RTM Custom Image + - **Computer Name**: PC0007 + - **Move Data and Settings**: Don't move user data and settings. + - **User Data (Restore)** > **Specify a location**: \\\\MDT01\\MigData$\\PC0002 + - **Applications**: Adobe > Install - Adobe Reader -4. Setup now starts and does the following actions: +4. Setup now starts and does the following actions: - * Partitions and formats the disk. - * Installs the Windows 10 Enterprise operating system. - * Installs the application. - * Updates the operating system via your local Windows Server Update Services (WSUS) server. - * Restores the USMT backup from PC0002. + - Partitions and formats the disk. + - Installs the Windows 10 Enterprise operating system. + - Installs the application. + - Updates the operating system via your local Windows Server Update Services (WSUS) server. + - Restores the USMT backup from PC0002. You can view progress of the process by clicking the Monitoring node in the Deployment Workbench on MDT01. @@ -153,9 +161,9 @@ You can view progress of the process by clicking the Monitoring node in the Depl ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-[Configure MDT settings](configure-mdt-settings.md) +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index c4b88adeaf..b8460e77a7 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -10,7 +10,7 @@ author: frankroj ms.topic: article ms.custom: seo-marvel-mar2020 ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Set up MDT for BitLocker @@ -18,6 +18,7 @@ ms.date: 10/28/2022 This article will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment: - A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password. + - Multiple partitions on the hard drive. To configure your environment for BitLocker, you'll need to do the following actions: @@ -29,10 +30,8 @@ To configure your environment for BitLocker, you'll need to do the following act > [!NOTE] > Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For more information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds). -If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. - -> [!NOTE] -> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511. +> +> If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. For the purposes of this article, we'll use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). @@ -54,18 +53,24 @@ The BitLocker Recovery information on a computer object in the contoso.com domai The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell): 1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, select **Add roles and features**. + 2. On the **Before you begin** page, select **Next**. + 3. On the **Select installation type** page, select **Role-based or feature-based installation**, and select **Next**. + 4. On the **Select destination server** page, select **DC01.contoso.com** and select **Next**. + 5. On the **Select server roles** page, select **Next**. + 6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then select **Next**: + 1. BitLocker Drive Encryption Administration Utilities 2. BitLocker Drive Encryption Tools 3. BitLocker Recovery Password Viewer + 7. On the **Confirm installation selections** page, select **Install**, and then select **Close**. ![figure 3.](../images/mdt-09-fig03.png) - Selecting the BitLocker Drive Encryption Administration Utilities. ### Create the BitLocker Group Policy @@ -73,32 +78,41 @@ Selecting the BitLocker Drive Encryption Administration Utilities. Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile. 1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**. + 2. Assign the name **BitLocker Policy** to the new Group Policy. -3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings: - Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives - 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings: - 1. Allow data recovery agent (default) - 2. Save BitLocker recovery information to Active Directory Domain Services (default) - 3. Don't enable BitLocker until recovery information is stored in AD DS for operating system drives - 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. - 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. + +3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings found under **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** + + 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings: + + - Allow data recovery agent (default) + - Save BitLocker recovery information to Active Directory Domain Services (default) + - Don't enable BitLocker until recovery information is stored in AD DS for operating system drives + + 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. + + 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. > [!NOTE] -> If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. +> If you consistently get the error: +> +> **Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system.** +> +> after encrypting a computer with BitLocker, you might have to change the various **Configure TPM platform validation profile** Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. ### Set permissions in Active Directory for BitLocker In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you've downloaded the [Add-TPMSelfWriteACE.vbs script](https://raw.githubusercontent.com/DeploymentArtist/DF4/master/BitLocker%20and%20TPM/Add-TPMSelfWriteACE.vbs) to C:\\Setup\\Scripts on DC01. 1. On DC01, start an elevated PowerShell prompt (run as Administrator). + 2. Configure the permissions by running the following command: - ```dos - cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs + ```cmd + cscript.exe C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs ``` ![figure 4.](../images/mdt-09-fig04.png) - Running the Add-TPMSelfWriteACE.vbs script on DC01. ## Add BIOS configuration tools from Dell, HP, and Lenovo @@ -113,7 +127,7 @@ If you want to automate enabling the TPM chip as part of the deployment process, The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here's a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool: -```dos +```cmd BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234 ``` @@ -135,7 +149,7 @@ Embedded Security Device Availability The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here's a sample command to enable TPM using the Lenovo tools: -```dos +```cmd cscript.exe SetConfig.vbs SecurityChip Active ``` @@ -146,21 +160,24 @@ When configuring a task sequence to run any BitLocker tool, either directly or u In the following task sequence, we added five actions: - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. + - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip isn't already activated. Use the properties from the ZTICheckforTPM.wsf. > [!NOTE] > It is common for organizations to wrap these tools in scripts to get additional logging and error handling. - **Restart computer.** Self-explanatory, reboots the computer. + - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. + - **Enable BitLocker.** Runs the built-in action to activate BitLocker. ## Related articles -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-[Use web services in MDT](use-web-services-in-mdt.md)
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index 39b4f39cc5..b9a293d1de 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Simulate a Windows 10 deployment in a test environment @@ -19,7 +19,9 @@ This article will walk you through the process of creating a simulated environme ## Test environment - A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts. + - It's assumed that you've performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share: + - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) @@ -29,6 +31,7 @@ This article will walk you through the process of creating a simulated environme On **PC0001**: 1. Sign as **contoso\\Administrator**. + 2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001. ```powershell @@ -48,15 +51,22 @@ On **PC0001**: ``` 3. Download and install the free [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool. + 4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group. + 5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**. + 6. Open the **\\\\MDT01\\MDTProduction$\\Scripts** folder and copy the following files to **C:\\MDT**: - 1. ZTIDataAccess.vbs - 2. ZTIGather.wsf - 3. ZTIGather.xml - 4. ZTIUtility.vbs + + - ZTIDataAccess.vbs + - ZTIGather.wsf + - ZTIGather.xml + - ZTIUtility.vbs + 7. From the **\\\\MDT01\\MDTProduction$\\Control** folder, copy the CustomSettings.ini file to **C:\\MDT**. + 8. In the **C:\\MDT** folder, create a subfolder named **X64**. + 9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**. ![files.](../images/mdt-09-fig06.png) @@ -64,27 +74,30 @@ On **PC0001**: The C:\\MDT folder with the files added for the simulation environment. 10. Type the following at an elevated Windows PowerShell prompt: - ``` powershell + + ```powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force Set-Location C:\MDT .\Gather.ps1 ``` + When prompted, press **R** to run the gather script. 11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder using CMTrace. - **Note** - Warnings or errors regarding the Wizard.hta are expected. If the log file looks okay, you're ready to try a real deployment. - + + > [!NOTE] + > Warnings or errors regarding the Wizard.hta are expected. If the log file looks okay, you're ready to try a real deployment. + ![ztigather.](../images/mdt-09-fig07.png) The ZTIGather.log file from PC0001. ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-[Use web services in MDT](use-web-services-in-mdt.md)
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index f7438e3a79..83c7037743 100644 --- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -9,76 +9,90 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Perform an in-place upgrade to Windows 10 with MDT -**Applies to** -- Windows 10 +**Applies to:** -The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. +- Windows 10 ->[!TIP] ->In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. +The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. + +> [!TIP] +> In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you can't use a custom image to perform the in-place upgrade. In this article, we'll add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade. -Three computers are used in this article: DC01, MDT01, and PC0002. +Three computers are used in this article: DC01, MDT01, and PC0002. - DC01 is a domain controller for the contoso.com domain -- MDT01 is a domain member server +- MDT01 is a domain member server - PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade ![computers.](../images/mdt-upgrade.png) - The computers used in this article. ->[!NOTE] ->For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - +> [!NOTE] +> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +> >If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source). ## Create the MDT production deployment share On **MDT01**: -1. Ensure you're signed on as: contoso\administrator. +1. Ensure you're signed on as **contoso\administrator**. + 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**. + 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**. + 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**. + 6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**. + 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. ## Add Windows 10 Enterprise x64 (full source) ->If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. +> [!NOTE] +> If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. On **MDT01**: 1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. + 2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. + 3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. + 4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files - - Source directory: (location of your source files) - - Destination directory name: W10EX64RTM + - **Source directory**: (location of your source files) + - **Destination directory name**: `W10EX64RTM` + 5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. ## Create a task sequence to upgrade to Windows 10 Enterprise On **MDT01**: -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, then create a folder named **Windows 10**. -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-UPG - - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade - - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM Default Image - - Specify Product Key: Don't specify a product key at this time - - Organization: Contoso - - Admin Password: Don't specify an Administrator password at this time +1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, then create a folder named **Windows 10**. + +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**: + + - **Task sequence ID**: W10-X64-UPG + - **Task sequence name**: Windows 10 Enterprise x64 RTM Upgrade + - **Template**: Standard Client Upgrade Task Sequence + - **Select OS**: Windows 10 Enterprise x64 RTM Default Image + - **Specify Product Key**: Don't specify a product key at this time + - **Organization**: Contoso + - **Admin Password**: Don't specify an Administrator password at this time ## Perform the Windows 10 upgrade @@ -87,24 +101,24 @@ To initiate the in-place upgrade, perform the following steps on PC0002 (the dev On **PC0002**: 1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** -2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then select **Next**. + +2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then select **Next**. + 3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader + 4. On the **Ready** tab, select **Begin** to start the task sequence. - When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. ![upgrade1.](../images/upgrademdt-fig5-winupgrade.png) -
- ![upgrade2.](../images/mdt-upgrade-proc.png) -
- ![upgrade3.](../images/mdt-post-upg.png) After the task sequence completes, the computer will be fully upgraded to Windows 10. ## Related articles -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/) +- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) +- [Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/) diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md index f4fe3ef970..141bdd8589 100644 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md @@ -9,39 +9,50 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy +ms.date: 11/28/2022 --- # Use Orchestrator runbooks with MDT This article will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. + MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required. ->[!Note] ->If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. - -## Orchestrator terminology +> [!NOTE] +> If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. + +## Orchestrator terminology Before diving into the core details, here's a quick course in Orchestrator terminology: -- **Orchestrator Server.** This is a server that executes runbooks. -- **Runbooks.** A runbook is similar to a task sequence; it's a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database. -- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions. -- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook. -- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default. -- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default. -- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few. -**Note** -To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)). +- **Orchestrator Server**: This is a server that executes runbooks. + +- **Runbooks**: A runbook is similar to a task sequence; it's a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database. + +- **Orchestrator Designer**: This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions. + +- **Subscriptions**: These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook. + +- **Orchestrator Console**: This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default. + +- **Orchestrator web services**: These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default. + +- **Integration packs**: These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few. + +> [!NOTE] +> To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)). -## Create a sample runbook +## Create a sample runbook This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01. 1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS). + 2. In the **E:\\Logfile** folder, create the DeployLog.txt file. - **Note** - Make sure File Explorer is configured to show known file extensions so the file isn't named DeployLog.txt.txt. - + + > [!NOTE] + > Make sure File Explorer is configured to show known file extensions so the file isn't named DeployLog.txt.txt. + ![figure 23.](../images/mdt-09-fig23.png) Figure 23. The DeployLog.txt file. @@ -53,11 +64,16 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 24. Folder created in the Runbooks node. 4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**. + 5. On the ribbon bar, select **Check Out**. + 6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**. + 7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane: - 1. Runbook Control / Initialize Data - 2. Text File Management / Append Line + + - Runbook Control / Initialize Data + - Text File Management / Append Line + 8. Connect **Initialize Data** to **Append Line**. ![figure 25.](../images/mdt-09-fig25.png) @@ -65,6 +81,7 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 25. Activities added and connected. 9. Right-click the **Initialize Data** activity, and select **Properties** + 10. On **the Initialize Data Properties** page, select **Add**, change **Parameter 1** to **OSDComputerName**, and then select **Finish**. ![figure 26.](../images/mdt-09-fig26.png) @@ -72,8 +89,11 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 26. The Initialize Data Properties window. 11. Right-click the **Append Line** activity, and select **Properties**. + 12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**. + 13. In the **File** encoding drop-down list, select **ASCII**. + 14. In the **Append** area, right-click inside the **Text** text box and select **Expand**. ![figure 27.](../images/mdt-09-fig27.png) @@ -87,7 +107,9 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 28. Subscribing to data. 16. In the **Published Data** window, select the **OSDComputerName** item, and select **OK**. + 17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**. + 18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and select **OK**. ![figure 29.](../images/mdt-09-fig29.png) @@ -95,14 +117,21 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 29. The expanded text box after all subscriptions have been added. 19. On the **Append Line Properties** page, select **Finish**. - ## Test the demo MDT runbook - After the runbook is created, you're ready to test it. -20. On the ribbon bar, select **Runbook Tester**. -21. Select **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then select **OK**: - - OSDComputerName: PC0010 -22. Verify that all activities are green (for more information, see each target). -23. Close the **Runbook Tester**. -24. On the ribbon bar, select **Check In**. +## Test the demo MDT runbook + +After the runbook is created, you're ready to test it. + +1. On the ribbon bar, select **Runbook Tester**. + +2. Select **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then select **OK**: + + - **OSDComputerName**: PC0010 + +3. Verify that all activities are green (for more information, see each target). + +4. Close the **Runbook Tester**. + +5. On the ribbon bar, select **Check In**. ![figure 30.](../images/mdt-09-fig30.png) @@ -110,23 +139,33 @@ Figure 30. All tests completed. ## Use the MDT demo runbook from MDT -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**. -2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: OR001 - 2. Task sequence name: Orchestrator Sample - 3. Task sequence comments: <blank> - 4. Template: Custom Task Sequence -3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab. -4. Remove the default **Application Install** action. -5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option. -6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings: - 1. Name: Set Task Sequence Variable - 2. Task Sequence Variable: OSDComputerName - 3. Value: %hostname% -7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings: - 1. Orchestrator Server: OR01.contoso.com - 2. Use Browse to select **1.0 MDT / MDT Sample**. -8. Select **OK**. +1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**. + +2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**: + + - **Task sequence ID**: OR001 + - **Task sequence name**: Orchestrator Sample + - **Task sequence comments**: *\* + - **Template**: Custom Task Sequence + +3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab. + +4. Remove the default **Application Install** action. + +5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option. + +6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings: + + - **Name**: Set Task Sequence Variable + - **Task Sequence Variable**: OSDComputerName + - **Value**: %hostname% + +7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings: + + - **Orchestrator Server**: OR01.contoso.com + - Use **Browse** to select **1.0 MDT / MDT Sample**. + +8. Select **OK**. ![figure 31.](../images/mdt-09-fig31.png) @@ -135,22 +174,29 @@ Figure 31. The ready-made task sequence. ## Run the orchestrator sample task sequence Since this task sequence just starts a runbook, you can test the task sequence on the PC0001 client that you used for the MDT simulation environment. -**Note** -Make sure the account you're using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)). - -1. On PC0001, log on as **CONTOSO\\MDT\_BA**. -2. Using an elevated command prompt (run as Administrator), type the following command: - ``` syntax - cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs +> [!NOTE] +> Make sure the account you're using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)). + +1. On PC0001, log on as **CONTOSO\\MDT\_BA**. + +2. Using an elevated command prompt (run as Administrator), type the following command: + + ```cmd + cscript.exe \\MDT01\MDTProduction$\Scripts\Litetouch.vbs ``` -3. Complete the Windows Deployment Wizard using the following information: - 1. Task Sequence: Orchestrator Sample - 2. Credentials: - 1. User Name: MDT\_BA - 2. Password: P@ssw0rd - 3. Domain: CONTOSO -4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated. + +3. Complete the **Windows Deployment Wizard** using the following information: + + 1. **Task Sequence**: Orchestrator Sample + + 2. **Credentials**: + + - **User Name**: MDT\_BA + - **Password**: P@ssw0rd + - **Domain**: CONTOSO + +4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated. ![figure 32.](../images/mdt-09-fig32.png) @@ -158,16 +204,10 @@ Figure 32. The ready-made task sequence. ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index f4d4812ffe..61bd481d35 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -9,69 +9,81 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Use the MDT database to stage Windows 10 deployment information This article is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many more settings for the machines. -## Database prerequisites +## Database prerequisites MDT can use either SQL Server Express or full SQL Server. However, since the deployment database isn't large, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. ->[!NOTE] ->Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. - -## Create the deployment database +> [!NOTE] +> Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. + +## Create the deployment database The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. ->[!NOTE] ->Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. - -1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. -2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and select **Next**: - 1. SQL Server Name: MDT01 - 2. Instance: SQLEXPRESS - 3. Port: <blank> - 4. Network Library: Named Pipes -3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and select **Next**. -4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and select **Next**. Select **Next** again and then select **Finish**. +> [!NOTE] +> Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. + +1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. + +2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and select **Next**: + + 1. SQL Server Name: MDT01 + 2. Instance: SQLEXPRESS + 3. Port: <blank> + 4. Network Library: Named Pipes + +3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and select **Next**. + +4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and select **Next**. Select **Next** again and then select **Finish**. ![figure 8.](../images/mdt-09-fig08.png) Figure 8. The MDT database added to MDT01. -## Configure database permissions +## Configure database permissions After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA. -1. On MDT01, start SQL Server Management Studio. -2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and select **Connect**. -3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**. + +1. On MDT01, start SQL Server Management Studio. + +2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and select **Connect**. + +3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**. ![figure 9.](../images/mdt-09-fig09.png) Figure 9. The top-level Security node. -4. On the **Login - New** page, next to the **Login** name field, select **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: - 1. db\_datareader - 2. db\_datawriter - 3. public (default) -5. Select **OK**, and close SQL Server Management Studio. +4. On the **Login - New** page, next to the **Login** name field, select **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: + + 1. db\_datareader + 2. db\_datawriter + 3. public (default) + +5. Select **OK**, and close SQL Server Management Studio. ![figure 10.](../images/mdt-09-fig10.png) Figure 10. Creating the login and settings permissions to the MDT database. -## Create an entry in the database +## Create an entry in the database To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier. -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**. -2. Right-click **Computers**, select **New**, and add a computer entry with the following settings: - 1. Description: New York Site - PC00075 - 2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format> - 3. Details Tab / OSDComputerName: PC00075 + +1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**. + +2. Right-click **Computers**, select **New**, and add a computer entry with the following settings: + + 1. Description: New York Site - PC00075 + 2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format> + 3. Details Tab / OSDComputerName: PC00075 ![figure 11.](../images/mdt-09-fig11.png) @@ -79,16 +91,10 @@ Figure 11. Adding the PC00075 computer to the database. ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index 9c9f75a03e..02770d5644 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Use web services in MDT @@ -17,79 +17,96 @@ ms.date: 10/28/2022 In this article, you'll learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Web services are web applications that run code on the server side, and MDT has built-in functions to call these web services. Using a web service in MDT is straightforward, but it does require that you've enabled the Web Server (IIS) role on the server. Developing web services involves some coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web. -## Create a sample web service +## Create a sample web service In these steps, we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://www.microsoft.com/download/details.aspx?id=42516) from the Microsoft Download Center and extracted it to C:\\Projects. -1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file. -2. On the ribbon bar, verify that Release is selected. -3. In the **Debug** menu, select the **Build MDTSample** action. -4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**. -5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01. -6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01: - 1. Web.config - 2. mdtsample.asmx -![figure 15.](../images/mdt-09-fig15.png) +1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file. -Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web. +2. On the ribbon bar, verify that Release is selected. -## Create an application pool for the web service +3. In the **Debug** menu, select the **Build MDTSample** action. + +4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**. + +5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01. + +6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01: + + - Web.config + - mdtsample.asmx + + ![figure 15.](../images/mdt-09-fig15.png) + + Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web. + +## Create an application pool for the web service This section assumes that you've enabled the Web Server (IIS) role on MDT01. -1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools). -2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the **Do you want to get started with Microsoft Web Platform?** question, select the **Do not show this message** check box and then select **No**. -3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings: - 1. Name: MDTSample - 2. .NET Framework version: .NET Framework 4.0.30319 - 3. Manage pipeline mode: Integrated - 4. Select the **Start application pool immediately** check box. - 5. Select **OK**. -![figure 16.](../images/mdt-09-fig16.png) +1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools). -Figure 16. The new MDTSample application. +2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the **Do you want to get started with Microsoft Web Platform?** question, select the **Do not show this message** check box and then select **No**. -## Install the web service +3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings: -1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application: - 1. Alias: MDTSample - 2. Application pool: MDTSample - 3. Physical Path: E:\\MDTSample + - **Name**: MDTSample + - **.NET Framework version**: .NET Framework 4.0.30319 + - **Manage pipeline mode**: Integrated + - Select the **Start application pool immediately** check box. + - Select **OK**. + + ![figure 16.](../images/mdt-09-fig16.png) + + Figure 16. The new MDTSample application. + +## Install the web service + +1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application: + + - **Alias**: MDTSample + - **Application pool**: MDTSample + - **Physical Path**: E:\\MDTSample ![figure 17.](../images/mdt-09-fig17.png) Figure 17. Adding the MDTSample web application. -2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box: - 1. Anonymous Authentication: Enabled - 2. ASP.NET Impersonation: Disabled +2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box: -![figure 18.](../images/mdt-09-fig18.png) + - **Anonymous Authentication**: Enabled + - **ASP.NET Impersonation**: Disabled -Figure 18. Configuring Authentication for the MDTSample web service. + ![figure 18.](../images/mdt-09-fig18.png) -## Test the web service in Internet Explorer + Figure 18. Configuring Authentication for the MDTSample web service. -1. On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**. -2. Select the **GetComputerName** link. +## Test the web service in Internet Explorer + +1. On PC0001, using Internet Explorer, navigate to: **`http://MDT01/MDTSample/mdtsample.asmx'**. + +2. Select the **GetComputerName** link. ![figure 19.](../images/mdt-09-fig19.png) Figure 19. The MDT Sample web service. -3. On the **GetComputerName** page, type in the following settings, and select **Invoke**: - 1. Model: Hewlett-Packard - 2. SerialNumber: 123456789 -![figure 20.](../images/mdt-09-fig20.png) +3. On the **GetComputerName** page, type in the following settings, and select **Invoke**: -Figure 20. The result from the MDT Sample web service. + - **Model**: Hewlett-Packard + - **SerialNumber**: 123456789 -## Test the web service in the MDT simulation environment + ![figure 20.](../images/mdt-09-fig20.png) + + Figure 20. The result from the MDT Sample web service. + +## Test the web service in the MDT simulation environment After verifying the web service using Internet Explorer, you're ready to do the same test in the MDT simulation environment. 1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following: - ``` + + ```ini [Settings] Priority=Default, GetComputerName [Default] @@ -99,35 +116,32 @@ After verifying the web service using Internet Explorer, you're ready to do the Parameters=Model,SerialNumber OSDComputerName=string ``` + ![figure 21.](../images/mdt-09-fig21.png) Figure 21. The updated CustomSettings.ini file. 2. Save the CustomSettings.ini file. + 3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - ``` + + ```powershell Set-Location C:\MDT .\Gather.ps1 ``` + 4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder. -![figure 22.](../images/mdt-09-fig22.png) + ![figure 22.](../images/mdt-09-fig22.png) -Figure 22. The OSDCOMPUTERNAME value obtained from the web service. + Figure 22. The OSDCOMPUTERNAME value obtained from the web service. ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) - +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 873c456881..0a538f15f8 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -6,16 +6,17 @@ manager: aaroncz author: frankroj ms.author: frankroj ms.prod: windows-client +ms.technology: itpro-deploy ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Deploy Windows To Go in your organization -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment. @@ -26,15 +27,15 @@ This article helps you to deploy Windows To Go in your organization. Before you The below list is items that you should be aware of before you start the deployment process: -* Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives. +- Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives. -* After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted. +- After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted. -* When running a Windows To Go workspace, always shut down the workspace before unplugging the drive. +- When running a Windows To Go workspace, always shut down the workspace before unplugging the drive. -* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). +- Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). -* If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. +- If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. ## Basic deployment steps @@ -42,15 +43,15 @@ Unless you're using a customized operating system image, your initial Windows To Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For more information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)). ->[!WARNING] ->If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication. +> [!WARNING] +> If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication. ### Create the Windows To Go workspace In this step we're creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools. ->[!WARNING] ->The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. +> [!WARNING] +> The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. #### To create a Windows To Go workspace with the Windows To Go Creator Wizard @@ -58,37 +59,31 @@ In this step we're creating the operating system image that will be used on the 2. Insert the USB drive that you want to use as your Windows To Go drive into your PC. -3. Verify that the .wim file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. +3. Verify that the `.wim` file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. - >[!NOTE] - >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)). + > [!NOTE] + > For more information about `.wim` files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)). -4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens. +4. Search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens. 5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then select **Next.** -6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the .wim file location and select select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**. +6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the `.wim` file location and select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**. -7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) for instructions. -r +7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, for instructions see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)). - >[!WARNING] - >If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated. + > [!WARNING] + > If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated. - If you choose to encrypt the Windows To Go drive now: + If you choose to encrypt the Windows To Go drive now, enter a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters. - - Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters. - - -~~~ - >[!IMPORTANT] - >The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)). -~~~ + > [!IMPORTANT] + > The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)). 8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then select **Create** to start the Windows To Go workspace creation process. - >[!WARNING] - >The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased. + > [!WARNING] + > The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased. 9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page, you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer. @@ -98,11 +93,15 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC. -1. Using Cortana, search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**. +1. Search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**. -2. In the Windows PowerShell session type, the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware: +2. In the Windows PowerShell session, enter the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware: - ``` +
+
+ Expand to show PowerShell commands to partition an MBR disk + + ```powershell # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -136,27 +135,31 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` +
+ 3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - >[!TIP] - >The index number must be set correctly to a valid Enterprise image in the .WIM file. + > [!TIP] + > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - ``` + ```cmd #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` -4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: +4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: -~~~ -``` -W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: -``` -~~~ + ```cmd + W:\Windows\System32\bcdboot.exe W:\Windows /f ALL /s S: + ``` 5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step: - ``` +
+
+ Expand to show example san_policy.xml file + + ```xml @@ -186,15 +189,21 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: ``` +
+ 6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command: - ``` + ```cmd Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml ``` 7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file: - ``` +
+
+ Expand to show example san_policy.xml file + + ```xml @@ -218,10 +227,12 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: ``` - After the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\\Windows\\System32\\sysprep\) +
- >[!IMPORTANT] - >Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **%systemroot%\\panther** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used. + After the answer file has been saved, copy `unattend.xml` into the sysprep folder on the Windows To Go drive (for example, `W:\Windows\System32\sysprep\`) + + > [!IMPORTANT] + > Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **`%systemroot%\panther`** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used. If you don't wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC. @@ -231,14 +242,14 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it's attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace. ->[!TIP] ->If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. +> [!TIP] +> If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. If you want to use the Windows To Go workspace, shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer. To set the Windows To Go Startup options for host computers running Windows 10: -1. Using Cortana, search for **Windows To Go startup options** and then press **Enter**. +1. Search for **Windows To Go startup options** and then press **Enter**. 2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB @@ -250,7 +261,7 @@ For host computers running Windows 8 or Windows 8.1: You can configure your organization's computers to automatically start from the USB drive by enabling the following Group Policy setting: -**\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\Windows To Go Default Startup Options** +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Portable Operating System** > **Windows To Go Default Startup Options** After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it's started. Users won't be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected won't occur unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options. @@ -260,13 +271,13 @@ Your host computer is now ready to boot directly into Windows To Go workspace wh After you've configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace: -**To boot your workspace** +**To boot your workspace:** -1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it. +1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it. -2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender. +2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender. -3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to type the password, otherwise the workspace will boot directly into the Windows To Go workspace. +3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to enter the password, otherwise the workspace will boot directly into the Windows To Go workspace. ## Advanced deployment steps @@ -276,26 +287,26 @@ The following steps are used for more advanced deployments where you want to hav Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer that is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that don't have physical access to your corporate network. -**Prerequisites for remote access scenario** +**Prerequisites for remote access scenario:** -- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer +- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer -- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings. +- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings. -- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer +- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer -- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain +- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain -**To configure your Windows To Go workspace for remote access** +**To configure your Windows To Go workspace for remote access:** 1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by <>) with the ones applicable for your environment: - ``` - djoin /provision /domain /machine /certtemplate /policynames /savefile /reuse + ```cmd + djoin.exe /provision /domain /machine /certtemplate /policynames /savefile /reuse ``` - >[!NOTE] - >The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)). + > [!NOTE] + > The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using `djoin.exe` with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)). 2. Insert the Windows To Go drive. @@ -303,7 +314,11 @@ Making sure that Windows To Go workspaces are effective when used off premises i 4. From the Windows PowerShell command prompt run: - ``` +
+
+ Expand this section to show PowerShell commands to run + + ```powershell # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -337,27 +352,31 @@ Making sure that Windows To Go workspaces are effective when used off premises i Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` +
+ 5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): -~~~ ->[!TIP] ->The index number must be set correctly to a valid Enterprise image in the .WIM file. + ```cmd + #The WIM file must contain a sysprep generalized image. + dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + ``` -``` -#The WIM file must contain a sysprep generalized image. -dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ -``` -~~~ + > [!TIP] + > The index number must be set correctly to a valid Enterprise image in the `.wim` file. 6. After those commands have completed, run the following command: - ``` - djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows + ```cmd + djoin.exe /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows ``` 7. Next, we'll need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we're hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you've configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)): - ``` +
+
+ Expand this section to show example unattend.xml file + + ```xml @@ -391,16 +410,18 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind ``` +
+ 8. Safely remove the Windows To Go drive. 9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace. - * If on premises using a host computer with a direct network connection, sign on using your domain credentials. + - If on premises using a host computer with a direct network connection, sign on using your domain credentials. - * If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. + - If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. - >[!NOTE] - >Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. + > [!NOTE] + > Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises. @@ -410,17 +431,23 @@ Enabling BitLocker on your Windows To Go drive will help ensure that your data i #### Prerequisites for enabling BitLocker scenario -* A Windows To Go drive that can be successfully provisioned. +- A Windows To Go drive that can be successfully provisioned. -* A computer running Windows 8 configured as a Windows To Go host computer +- A computer running Windows 8 configured as a Windows To Go host computer -* Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary: +- Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary: - **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup**. This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting. + - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** - **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Configure use of passwords for operating system drives**. This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled. + This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting. - **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Enable use of BitLocker authentication requiring preboot keyboard input on slates**. This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives. + - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure use of passwords for operating system drives** + + This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** must be also enabled. + + - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Enable use of BitLocker authentication requiring preboot keyboard input on slates** + + This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives. You can choose to enable BitLocker protection on Windows To Go drives before distributing them to users as part of your provisioning process or you can allow your end-users to apply BitLocker protection to them after they have taken possession of the drive. A step-by-step procedure is provided for both scenarios. @@ -432,10 +459,12 @@ Enabling BitLocker after distribution requires that your users turn on BitLocker BitLocker recovery keys are the keys that can be used to unlock a BitLocker protected drive if the standard unlock method fails. It's recommended that your BitLocker recovery keys be backed up to Active Directory Domain Services (AD DS). If you don't want to use AD DS to store recovery keys you can save recovery keys to a file or print them. How BitLocker recovery keys are managed differs depending on when BitLocker is enabled. -- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive. +- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive. -- **Warning** - If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. If the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place. +- If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. + + > [!WARNING] + > If backing up recovery keys to AD DS isn't used and the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place. #### To enable BitLocker during provisioning @@ -447,10 +476,14 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot 4. Provision the Windows To Go drive using the following cmdlets: - >[!NOTE] - >If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. + > [!NOTE] + > If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. - ``` +
+
+ Expand this section to show PowerShell commands to run + + ```powershell # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -484,25 +517,27 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` +
+ Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - >[!TIP] - >The index number must be set correctly to a valid Enterprise image in the .WIM file. + > [!TIP] + > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - ``` + ```cmd #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` 5. In the same PowerShell session, use the following cmdlet to add a recovery key to the drive: - ``` + ```powershell $BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector ``` 6. Next, use the following cmdlets to save the recovery key to a file: - ``` + ```powershell #The BitLocker Recovery key is essential if for some reason you forget the BitLocker password #This recovery key can also be backed up into Active Directory using manage-bde.exe or the #PowerShell cmdlet Backup-BitLockerKeyProtector. @@ -512,35 +547,34 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot 7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation: - ``` + ```powershell # Create a variable to store the password $spwd = ConvertTo-SecureString -String -AsplainText -Force Enable-BitLocker W: -PasswordProtector $spwd ``` - >[!WARNING] - >To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. + > [!WARNING] + > To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. 8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten. - >[!WARNING] - >If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. + > [!WARNING] + > If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. - If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker). + If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#to-enable-bitlocker-after-distribution). 9. Safely remove the Windows To Go drive. The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following information: -* Initial BitLocker password that they'll need to boot the drives. +- Initial BitLocker password that they'll need to boot the drives. -* Current encryption status. +- Current encryption status. -* Instructions to change the BitLocker password after the initial boot. +- Instructions to change the BitLocker password after the initial boot. -* Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact. +- Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact. - #### To enable BitLocker after distribution 1. Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace @@ -551,8 +585,8 @@ The Windows To Go drives are now ready to be distributed to users and are protec 4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option. ->[!NOTE] ->If you have not configured the Group Policy setting **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace. +> [!NOTE] +> If you have not configured the Group Policy setting **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace. ### Advanced deployment sample script @@ -562,11 +596,11 @@ The sample script creates an unattend file that streamlines the deployment proce #### Prerequisites for running the advanced deployment sample script -* To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts. +- To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts. -* Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters. +- Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the `djoin.exe` command to include the `policynames` and potentially the `certtemplate` parameters. -* The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters. +- The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters. #### To run the advanced deployment sample script @@ -576,22 +610,26 @@ The sample script creates an unattend file that streamlines the deployment proce 3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt: - ``` + ```powershell Set-ExecutionPolicy RemoteSigned ``` The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy). > [!TIP] - > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing <cmdlet-name> with the name of the cmdlet you want to see the help for: - > + > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally, enter the following cmdlet, replacing `` with the name of the cmdlet you want to see the help for: + > > `Get-Help -Online` - > + > > This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser. #### Windows To Go multiple drive provisioning sample script -``` +
+
+ Expand this section to view Windows To Go multiple drive provisioning sample script + +```powershell <# .SYNOPSIS Windows To Go multiple drive provisioning sample script. @@ -959,22 +997,23 @@ write-output "Provsioning completed in: $elapsedTime (hh:mm:ss.000)" write-output "" "Provisioning script complete." ``` +
+ ## Considerations when using different USB keyboard layouts with Windows To Go In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout: -``` - reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f - reg unload HKLM\WTG-Keyboard +```cmd +reg.exe load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f +reg.exe unload HKLM\WTG-Keyboard ``` ## Related articles - [Windows To Go: feature overview](planning/windows-to-go-overview.md) [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 51982b85d2..6274640054 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -9,7 +9,7 @@ ms.prod: windows-client ms.localizationpriority: medium ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- @@ -23,7 +23,7 @@ Windows 10 upgrade options are discussed and information is provided about plann |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This article provides information about support for upgrading directly to Windows 10 from a previous operating system. | |[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This article provides information about support for upgrading from one edition of Windows 10 to another. | |[Windows 10 volume license media](windows-10-media.md) |This article provides information about updates to volume licensing media in the current version of Windows 10. | -|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | +|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | |[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After you complete this guide, more guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md). | |[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to help Windows 10 deployment planning. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 4589ac5834..07805dc6fb 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -1,51 +1,67 @@ -- name: Delivery Optimization for Windows client +- name: Delivery Optimization for Windows client and Microsoft Connected Cache href: index.yml +- name: What's new + href: whats-new-do.md items: - - name: Get started - items: - - name: What is Delivery Optimization - href: waas-delivery-optimization.md - - name: What's new - href: whats-new-do.md - - name: Delivery Optimization Frequently Asked Questions - href: waas-delivery-optimization-faq.yml - - - - - name: Configure Delivery Optimization +- name: Delivery Optimization + items: + - name: What is Delivery Optimization + href: waas-delivery-optimization.md + - name: Delivery Optimization Frequently Asked Questions + href: waas-delivery-optimization-faq.yml + - name: Configure Delivery Optimization for Windows clients + items: + - name: Windows client Delivery Optimization settings + href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings + - name: Configure Delivery Optimization settings using Microsoft Intune + href: /mem/intune/configuration/delivery-optimization-windows + - name: Resources for Delivery Optimization + items: + - name: Set up Delivery Optimization for Windows + href: waas-delivery-optimization-setup.md + - name: Delivery Optimization reference + href: waas-delivery-optimization-reference.md + - name: Delivery Optimization client-service communication + href: delivery-optimization-workflow.md + - name: Using a proxy with Delivery Optimization + href: delivery-optimization-proxy.md +- name: Microsoft Connected Cache + items: + - name: Microsoft Connected Cache overview + href: waas-microsoft-connected-cache.md + - name: MCC for Enterprise and Education items: - - name: Configure Windows Clients - items: - - name: Windows Delivery Optimization settings - href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - - name: Windows Delivery Optimization Frequently Asked Questions - href: ../do/waas-delivery-optimization-faq.yml - - name: Configure Microsoft Intune - items: - - name: Delivery Optimization settings in Microsoft Intune - href: /mem/intune/configuration/delivery-optimization-windows - - - name: Microsoft Connected Cache + - name: Requirements + href: mcc-enterprise-prerequisites.md + - name: Deploy Microsoft Connected Cache + href: mcc-enterprise-deploy.md + - name: Update or uninstall MCC + href: mcc-enterprise-update-uninstall.md + - name: Appendix + href: mcc-enterprise-appendix.md + - name: MCC for ISPs items: - - name: MCC overview - href: waas-microsoft-connected-cache.md - - name: MCC for Enterprise and Education - href: mcc-enterprise.md - - name: MCC for ISPs + - name: How-to guides + items: + - name: Operator sign up and service onboarding + href: mcc-isp-signup.md + - name: Create, provision, and deploy the cache node in Azure portal + href: mcc-isp-create-provision-deploy.md + - name: Verify cache node functionality and monitor health and performance + href: mcc-isp-verify-cache-node.md + - name: Update or uninstall your cache node + href: mcc-isp-update.md + - name: Resources + items: + - name: Frequently Asked Questions + href: mcc-isp-faq.yml + - name: Enhancing VM performance + href: mcc-isp-vm-performance.md + - name: Support and troubleshooting + href: mcc-isp-support.md + - name: MCC for ISPs (early preview) href: mcc-isp.md +- name: Content endpoints for Delivery Optimization and Microsoft Connected Cache + href: delivery-optimization-endpoints.md - - name: Resources - items: - - name: Set up Delivery Optimization for Windows - href: waas-delivery-optimization-setup.md - - name: Delivery Optimization reference - href: waas-delivery-optimization-reference.md - - name: Delivery Optimization client-service communication - href: delivery-optimization-workflow.md - - name: Using a proxy with Delivery Optimization - href: delivery-optimization-proxy.md - - name: Content endpoints for Delivery Optimization and Microsoft Connected Cache - href: delivery-optimization-endpoints.md - - name: Testing Delivery Optimization - href: delivery-optimization-test.md - + diff --git a/windows/deployment/do/images/addcachenode.png b/windows/deployment/do/images/addcachenode.png new file mode 100644 index 0000000000..ea8db2a08a Binary files /dev/null and b/windows/deployment/do/images/addcachenode.png differ diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md new file mode 100644 index 0000000000..f97aed1785 --- /dev/null +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -0,0 +1,30 @@ +--- +title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diagnose/Solve feature UI +manager: aaroncz +description: Elixir images read me file +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Read Me + +This file contains the images that are included in this GitHub repository that are used by the Azure UI for Diagnose and Solve. The following images _shouldn't be removed_ from the repository: + +:::image type="content" source="ux-check-verbose-2.png" alt-text="A screenshot that shows 6 out of the 22 checks raising errors."::: + +:::image type="content" source="ux-check-verbose-1.png" alt-text="A screenshot that all checks passing after the iotedge check command."::: + +:::image type="content" source="ux-connectivity-check.png" alt-text="A screenshot of green checkmarks, showing that all of the connectivity checks are successful."::: + +:::image type="content" source="ux-edge-agent-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', which shows three containers and the edgeAgent container failing."::: + +:::image type="content" source="ux-iot-edge-list.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing all three containers running successfully."::: + +:::image type="content" source="ux-mcc-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing the MCC container in a failure state."::: \ No newline at end of file diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png new file mode 100644 index 0000000000..692416d04c Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png new file mode 100644 index 0000000000..5f232fe0c6 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png new file mode 100644 index 0000000000..0e72c45b33 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png new file mode 100644 index 0000000000..1ce0e3e929 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png new file mode 100644 index 0000000000..a26638a119 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png new file mode 100644 index 0000000000..b82d0e4441 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png differ diff --git a/windows/deployment/do/images/emcc07.png b/windows/deployment/do/images/emcc07.png deleted file mode 100644 index 21420eab09..0000000000 Binary files a/windows/deployment/do/images/emcc07.png and /dev/null differ diff --git a/windows/deployment/do/images/emcc10.png b/windows/deployment/do/images/emcc10.png deleted file mode 100644 index 77c8754bf5..0000000000 Binary files a/windows/deployment/do/images/emcc10.png and /dev/null differ diff --git a/windows/deployment/do/images/emcc06.png b/windows/deployment/do/images/ent-mcc-azure-cache-created.png similarity index 100% rename from windows/deployment/do/images/emcc06.png rename to windows/deployment/do/images/ent-mcc-azure-cache-created.png diff --git a/windows/deployment/do/images/emcc05.png b/windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png similarity index 100% rename from windows/deployment/do/images/emcc05.png rename to windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png diff --git a/windows/deployment/do/images/emcc04.png b/windows/deployment/do/images/ent-mcc-azure-marketplace.png similarity index 100% rename from windows/deployment/do/images/emcc04.png rename to windows/deployment/do/images/ent-mcc-azure-marketplace.png diff --git a/windows/deployment/do/images/emcc03.png b/windows/deployment/do/images/ent-mcc-azure-search-result.png similarity index 100% rename from windows/deployment/do/images/emcc03.png rename to windows/deployment/do/images/ent-mcc-azure-search-result.png diff --git a/windows/deployment/do/images/emcc08.png b/windows/deployment/do/images/ent-mcc-cache-nodes.png similarity index 100% rename from windows/deployment/do/images/emcc08.png rename to windows/deployment/do/images/ent-mcc-cache-nodes.png diff --git a/windows/deployment/do/images/emcc20.png b/windows/deployment/do/images/ent-mcc-connect-eflowvm.png similarity index 100% rename from windows/deployment/do/images/emcc20.png rename to windows/deployment/do/images/ent-mcc-connect-eflowvm.png diff --git a/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png new file mode 100644 index 0000000000..45cb01de9f Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png differ diff --git a/windows/deployment/do/images/emcc02.png b/windows/deployment/do/images/ent-mcc-create-azure-resource.png similarity index 100% rename from windows/deployment/do/images/emcc02.png rename to windows/deployment/do/images/ent-mcc-create-azure-resource.png diff --git a/windows/deployment/do/images/ent-mcc-create-cache-failed.png b/windows/deployment/do/images/ent-mcc-create-cache-failed.png new file mode 100644 index 0000000000..5c2ac09d56 Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-create-cache-failed.png differ diff --git a/windows/deployment/do/images/emcc09.5.png b/windows/deployment/do/images/ent-mcc-create-cache-node-name.png similarity index 100% rename from windows/deployment/do/images/emcc09.5.png rename to windows/deployment/do/images/ent-mcc-create-cache-node-name.png diff --git a/windows/deployment/do/images/emcc09.png b/windows/deployment/do/images/ent-mcc-create-cache-node.png similarity index 100% rename from windows/deployment/do/images/emcc09.png rename to windows/deployment/do/images/ent-mcc-create-cache-node.png diff --git a/windows/deployment/do/images/emcc11.png b/windows/deployment/do/images/ent-mcc-delete-cache-node.png similarity index 100% rename from windows/deployment/do/images/emcc11.png rename to windows/deployment/do/images/ent-mcc-delete-cache-node.png diff --git a/windows/deployment/do/images/emcc29.png b/windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png similarity index 100% rename from windows/deployment/do/images/emcc29.png rename to windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png diff --git a/windows/deployment/do/images/emcc12.png b/windows/deployment/do/images/ent-mcc-download-installer.png similarity index 100% rename from windows/deployment/do/images/emcc12.png rename to windows/deployment/do/images/ent-mcc-download-installer.png diff --git a/windows/deployment/do/images/emcc28.png b/windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png similarity index 100% rename from windows/deployment/do/images/emcc28.png rename to windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png diff --git a/windows/deployment/do/images/emcc26.png b/windows/deployment/do/images/ent-mcc-group-policy-hostname.png similarity index 100% rename from windows/deployment/do/images/emcc26.png rename to windows/deployment/do/images/ent-mcc-group-policy-hostname.png diff --git a/windows/deployment/do/images/emcc13.png b/windows/deployment/do/images/ent-mcc-installer-script.png similarity index 100% rename from windows/deployment/do/images/emcc13.png rename to windows/deployment/do/images/ent-mcc-installer-script.png diff --git a/windows/deployment/do/images/emcc23.png b/windows/deployment/do/images/ent-mcc-intune-do.png similarity index 100% rename from windows/deployment/do/images/emcc23.png rename to windows/deployment/do/images/ent-mcc-intune-do.png diff --git a/windows/deployment/do/images/emcc24.png b/windows/deployment/do/images/ent-mcc-iotedge-list.png similarity index 100% rename from windows/deployment/do/images/emcc24.png rename to windows/deployment/do/images/ent-mcc-iotedge-list.png diff --git a/windows/deployment/do/images/emcc25.png b/windows/deployment/do/images/ent-mcc-journalctl.png similarity index 100% rename from windows/deployment/do/images/emcc25.png rename to windows/deployment/do/images/ent-mcc-journalctl.png diff --git a/windows/deployment/do/images/emcc01.png b/windows/deployment/do/images/ent-mcc-overview.png similarity index 100% rename from windows/deployment/do/images/emcc01.png rename to windows/deployment/do/images/ent-mcc-overview.png diff --git a/windows/deployment/do/images/emcc19.png b/windows/deployment/do/images/ent-mcc-script-complete.png similarity index 100% rename from windows/deployment/do/images/emcc19.png rename to windows/deployment/do/images/ent-mcc-script-complete.png diff --git a/windows/deployment/do/images/emcc17.png b/windows/deployment/do/images/ent-mcc-script-device-code.png similarity index 100% rename from windows/deployment/do/images/emcc17.png rename to windows/deployment/do/images/ent-mcc-script-device-code.png diff --git a/windows/deployment/do/images/emcc16.png b/windows/deployment/do/images/ent-mcc-script-dynamic-address.png similarity index 100% rename from windows/deployment/do/images/emcc16.png rename to windows/deployment/do/images/ent-mcc-script-dynamic-address.png diff --git a/windows/deployment/do/images/emcc15.png b/windows/deployment/do/images/ent-mcc-script-existing-switch.png similarity index 100% rename from windows/deployment/do/images/emcc15.png rename to windows/deployment/do/images/ent-mcc-script-existing-switch.png diff --git a/windows/deployment/do/images/emcc14.png b/windows/deployment/do/images/ent-mcc-script-new-switch.png similarity index 100% rename from windows/deployment/do/images/emcc14.png rename to windows/deployment/do/images/ent-mcc-script-new-switch.png diff --git a/windows/deployment/do/images/emcc18.png b/windows/deployment/do/images/ent-mcc-script-select-hub.png similarity index 100% rename from windows/deployment/do/images/emcc18.png rename to windows/deployment/do/images/ent-mcc-script-select-hub.png diff --git a/windows/deployment/do/images/emcc27.png b/windows/deployment/do/images/ent-mcc-store-example-download.png similarity index 100% rename from windows/deployment/do/images/emcc27.png rename to windows/deployment/do/images/ent-mcc-store-example-download.png diff --git a/windows/deployment/do/images/emcc22.png b/windows/deployment/do/images/ent-mcc-verify-server-powershell.png similarity index 100% rename from windows/deployment/do/images/emcc22.png rename to windows/deployment/do/images/ent-mcc-verify-server-powershell.png diff --git a/windows/deployment/do/images/emcc21.png b/windows/deployment/do/images/ent-mcc-verify-server-ssh.png similarity index 100% rename from windows/deployment/do/images/emcc21.png rename to windows/deployment/do/images/ent-mcc-verify-server-ssh.png diff --git a/windows/deployment/do/images/imcc07.png b/windows/deployment/do/images/imcc07.png deleted file mode 100644 index 31668ba8a1..0000000000 Binary files a/windows/deployment/do/images/imcc07.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc21.png b/windows/deployment/do/images/imcc21.png deleted file mode 100644 index 5bd68d66c5..0000000000 Binary files a/windows/deployment/do/images/imcc21.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc48.png b/windows/deployment/do/images/imcc48.png deleted file mode 100644 index eb53b7a5be..0000000000 Binary files a/windows/deployment/do/images/imcc48.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc49.png b/windows/deployment/do/images/imcc49.png deleted file mode 100644 index eb53b7a5be..0000000000 Binary files a/windows/deployment/do/images/imcc49.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc53.png b/windows/deployment/do/images/imcc53.png deleted file mode 100644 index ddec14d717..0000000000 Binary files a/windows/deployment/do/images/imcc53.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc54.png b/windows/deployment/do/images/imcc54.png deleted file mode 100644 index c40ab0c5c9..0000000000 Binary files a/windows/deployment/do/images/imcc54.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc24.png b/windows/deployment/do/images/mcc-isp-bash-allocate-space.png similarity index 100% rename from windows/deployment/do/images/imcc24.png rename to windows/deployment/do/images/mcc-isp-bash-allocate-space.png diff --git a/windows/deployment/do/images/imcc23.png b/windows/deployment/do/images/mcc-isp-bash-datadrive.png similarity index 100% rename from windows/deployment/do/images/imcc23.png rename to windows/deployment/do/images/mcc-isp-bash-datadrive.png diff --git a/windows/deployment/do/images/imcc20.png b/windows/deployment/do/images/mcc-isp-bash-device-code.png similarity index 100% rename from windows/deployment/do/images/imcc20.png rename to windows/deployment/do/images/mcc-isp-bash-device-code.png diff --git a/windows/deployment/do/images/imcc22.png b/windows/deployment/do/images/mcc-isp-bash-drive-number.png similarity index 100% rename from windows/deployment/do/images/imcc22.png rename to windows/deployment/do/images/mcc-isp-bash-drive-number.png diff --git a/windows/deployment/do/images/imcc25.png b/windows/deployment/do/images/mcc-isp-bash-iot-prompt.png similarity index 100% rename from windows/deployment/do/images/imcc25.png rename to windows/deployment/do/images/mcc-isp-bash-iot-prompt.png diff --git a/windows/deployment/do/images/imcc08.png b/windows/deployment/do/images/mcc-isp-cache-nodes-option.png similarity index 100% rename from windows/deployment/do/images/imcc08.png rename to windows/deployment/do/images/mcc-isp-cache-nodes-option.png diff --git a/windows/deployment/do/images/imcc19.png b/windows/deployment/do/images/mcc-isp-copy-install-script.png similarity index 100% rename from windows/deployment/do/images/imcc19.png rename to windows/deployment/do/images/mcc-isp-copy-install-script.png diff --git a/windows/deployment/do/images/imcc10.png b/windows/deployment/do/images/mcc-isp-create-cache-node-fields.png similarity index 100% rename from windows/deployment/do/images/imcc10.png rename to windows/deployment/do/images/mcc-isp-create-cache-node-fields.png diff --git a/windows/deployment/do/images/imcc09.png b/windows/deployment/do/images/mcc-isp-create-cache-node-option.png similarity index 100% rename from windows/deployment/do/images/imcc09.png rename to windows/deployment/do/images/mcc-isp-create-cache-node-option.png diff --git a/windows/deployment/do/images/imcc12.png b/windows/deployment/do/images/mcc-isp-create-new-node.png similarity index 100% rename from windows/deployment/do/images/imcc12.png rename to windows/deployment/do/images/mcc-isp-create-new-node.png diff --git a/windows/deployment/do/images/imcc13.png b/windows/deployment/do/images/mcc-isp-create-node-form.png similarity index 100% rename from windows/deployment/do/images/imcc13.png rename to windows/deployment/do/images/mcc-isp-create-node-form.png diff --git a/windows/deployment/do/images/imcc02.png b/windows/deployment/do/images/mcc-isp-create-resource.png similarity index 100% rename from windows/deployment/do/images/imcc02.png rename to windows/deployment/do/images/mcc-isp-create-resource.png diff --git a/windows/deployment/do/images/imcc04.png b/windows/deployment/do/images/mcc-isp-create.png similarity index 100% rename from windows/deployment/do/images/imcc04.png rename to windows/deployment/do/images/mcc-isp-create.png diff --git a/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png new file mode 100644 index 0000000000..17fb6a18f1 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png differ diff --git a/windows/deployment/do/images/imcc06.png b/windows/deployment/do/images/mcc-isp-deployment-complete.png similarity index 100% rename from windows/deployment/do/images/imcc06.png rename to windows/deployment/do/images/mcc-isp-deployment-complete.png diff --git a/windows/deployment/do/images/imcc01.png b/windows/deployment/do/images/mcc-isp-diagram.png similarity index 100% rename from windows/deployment/do/images/imcc01.png rename to windows/deployment/do/images/mcc-isp-diagram.png diff --git a/windows/deployment/do/images/imcc27.png b/windows/deployment/do/images/mcc-isp-edge-journalctl.png similarity index 100% rename from windows/deployment/do/images/imcc27.png rename to windows/deployment/do/images/mcc-isp-edge-journalctl.png diff --git a/windows/deployment/do/images/imcc42.png b/windows/deployment/do/images/mcc-isp-gnu-grub.png similarity index 100% rename from windows/deployment/do/images/imcc42.png rename to windows/deployment/do/images/mcc-isp-gnu-grub.png diff --git a/windows/deployment/do/images/imcc31.png b/windows/deployment/do/images/mcc-isp-hyper-v-begin.png similarity index 100% rename from windows/deployment/do/images/imcc31.png rename to windows/deployment/do/images/mcc-isp-hyper-v-begin.png diff --git a/windows/deployment/do/images/imcc36.png b/windows/deployment/do/images/mcc-isp-hyper-v-disk.png similarity index 100% rename from windows/deployment/do/images/imcc36.png rename to windows/deployment/do/images/mcc-isp-hyper-v-disk.png diff --git a/windows/deployment/do/images/imcc33.png b/windows/deployment/do/images/mcc-isp-hyper-v-generation.png similarity index 100% rename from windows/deployment/do/images/imcc33.png rename to windows/deployment/do/images/mcc-isp-hyper-v-generation.png diff --git a/windows/deployment/do/images/imcc37.png b/windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png similarity index 100% rename from windows/deployment/do/images/imcc37.png rename to windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png diff --git a/windows/deployment/do/images/imcc34.png b/windows/deployment/do/images/mcc-isp-hyper-v-memory.png similarity index 100% rename from windows/deployment/do/images/imcc34.png rename to windows/deployment/do/images/mcc-isp-hyper-v-memory.png diff --git a/windows/deployment/do/images/imcc32.png b/windows/deployment/do/images/mcc-isp-hyper-v-name.png similarity index 100% rename from windows/deployment/do/images/imcc32.png rename to windows/deployment/do/images/mcc-isp-hyper-v-name.png diff --git a/windows/deployment/do/images/imcc35.png b/windows/deployment/do/images/mcc-isp-hyper-v-networking.png similarity index 100% rename from windows/deployment/do/images/imcc35.png rename to windows/deployment/do/images/mcc-isp-hyper-v-networking.png diff --git a/windows/deployment/do/images/imcc38.png b/windows/deployment/do/images/mcc-isp-hyper-v-summary.png similarity index 100% rename from windows/deployment/do/images/imcc38.png rename to windows/deployment/do/images/mcc-isp-hyper-v-summary.png diff --git a/windows/deployment/do/images/imcc41.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png similarity index 100% rename from windows/deployment/do/images/imcc41.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png diff --git a/windows/deployment/do/images/imcc40.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png similarity index 100% rename from windows/deployment/do/images/imcc40.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png diff --git a/windows/deployment/do/images/imcc39.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png similarity index 100% rename from windows/deployment/do/images/imcc39.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png diff --git a/windows/deployment/do/images/imcc18.png b/windows/deployment/do/images/mcc-isp-installer-download.png similarity index 100% rename from windows/deployment/do/images/imcc18.png rename to windows/deployment/do/images/mcc-isp-installer-download.png diff --git a/windows/deployment/do/images/imcc16.png b/windows/deployment/do/images/mcc-isp-list-nodes.png similarity index 100% rename from windows/deployment/do/images/imcc16.png rename to windows/deployment/do/images/mcc-isp-list-nodes.png diff --git a/windows/deployment/do/images/imcc05.png b/windows/deployment/do/images/mcc-isp-location-west.png similarity index 100% rename from windows/deployment/do/images/imcc05.png rename to windows/deployment/do/images/mcc-isp-location-west.png diff --git a/windows/deployment/do/images/mcc-isp-metrics.png b/windows/deployment/do/images/mcc-isp-metrics.png new file mode 100644 index 0000000000..1ca9078f3e Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-metrics.png differ diff --git a/windows/deployment/do/images/imcc30.png b/windows/deployment/do/images/mcc-isp-nmcli.png similarity index 100% rename from windows/deployment/do/images/imcc30.png rename to windows/deployment/do/images/mcc-isp-nmcli.png diff --git a/windows/deployment/do/images/imcc17.png b/windows/deployment/do/images/mcc-isp-node-configuration.png similarity index 100% rename from windows/deployment/do/images/imcc17.png rename to windows/deployment/do/images/mcc-isp-node-configuration.png diff --git a/windows/deployment/do/images/imcc15.png b/windows/deployment/do/images/mcc-isp-node-names.png similarity index 100% rename from windows/deployment/do/images/imcc15.png rename to windows/deployment/do/images/mcc-isp-node-names.png diff --git a/windows/deployment/do/images/imcc11.png b/windows/deployment/do/images/mcc-isp-node-server-ip.png similarity index 100% rename from windows/deployment/do/images/imcc11.png rename to windows/deployment/do/images/mcc-isp-node-server-ip.png diff --git a/windows/deployment/do/images/mcc-isp-operator-verification.png b/windows/deployment/do/images/mcc-isp-operator-verification.png new file mode 100644 index 0000000000..3641761e0a Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-operator-verification.png differ diff --git a/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png new file mode 100644 index 0000000000..e61bb78fc4 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png differ diff --git a/windows/deployment/do/images/imcc26.png b/windows/deployment/do/images/mcc-isp-running-containers.png similarity index 100% rename from windows/deployment/do/images/imcc26.png rename to windows/deployment/do/images/mcc-isp-running-containers.png diff --git a/windows/deployment/do/images/imcc03.png b/windows/deployment/do/images/mcc-isp-search-marketplace.png similarity index 100% rename from windows/deployment/do/images/imcc03.png rename to windows/deployment/do/images/mcc-isp-search-marketplace.png diff --git a/windows/deployment/do/images/mcc-isp-search.png b/windows/deployment/do/images/mcc-isp-search.png new file mode 100644 index 0000000000..4ab4f0b0d6 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-search.png differ diff --git a/windows/deployment/do/images/mcc-isp-sign-up.png b/windows/deployment/do/images/mcc-isp-sign-up.png new file mode 100644 index 0000000000..0bc62894c6 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-sign-up.png differ diff --git a/windows/deployment/do/images/imcc14.png b/windows/deployment/do/images/mcc-isp-success-instructions.png similarity index 100% rename from windows/deployment/do/images/imcc14.png rename to windows/deployment/do/images/mcc-isp-success-instructions.png diff --git a/windows/deployment/do/images/imcc45.png b/windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png similarity index 100% rename from windows/deployment/do/images/imcc45.png rename to windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png diff --git a/windows/deployment/do/images/imcc44.png b/windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png similarity index 100% rename from windows/deployment/do/images/imcc44.png rename to windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png diff --git a/windows/deployment/do/images/imcc43.png b/windows/deployment/do/images/mcc-isp-ubuntu-language.png similarity index 100% rename from windows/deployment/do/images/imcc43.png rename to windows/deployment/do/images/mcc-isp-ubuntu-language.png diff --git a/windows/deployment/do/images/imcc51.png b/windows/deployment/do/images/mcc-isp-ubuntu-restart.png similarity index 100% rename from windows/deployment/do/images/imcc51.png rename to windows/deployment/do/images/mcc-isp-ubuntu-restart.png diff --git a/windows/deployment/do/images/imcc47.png b/windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png similarity index 100% rename from windows/deployment/do/images/imcc47.png rename to windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png diff --git a/windows/deployment/do/images/imcc52.png b/windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png similarity index 100% rename from windows/deployment/do/images/imcc52.png rename to windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png diff --git a/windows/deployment/do/images/imcc50.png b/windows/deployment/do/images/mcc-isp-ubuntu-who.png similarity index 100% rename from windows/deployment/do/images/imcc50.png rename to windows/deployment/do/images/mcc-isp-ubuntu-who.png diff --git a/windows/deployment/do/images/imcc46.png b/windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png similarity index 100% rename from windows/deployment/do/images/imcc46.png rename to windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png diff --git a/windows/deployment/do/images/imcc55.PNG b/windows/deployment/do/images/mcc-isp-use-bgp.png similarity index 100% rename from windows/deployment/do/images/imcc55.PNG rename to windows/deployment/do/images/mcc-isp-use-bgp.png diff --git a/windows/deployment/do/images/imcc28.png b/windows/deployment/do/images/mcc-isp-wget.png similarity index 100% rename from windows/deployment/do/images/imcc28.png rename to windows/deployment/do/images/mcc-isp-wget.png diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md new file mode 100644 index 0000000000..114671fd5e --- /dev/null +++ b/windows/deployment/do/includes/get-azure-subscription.md @@ -0,0 +1,17 @@ +--- +author: amymzhou +ms.author: amyzhou +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.localizationpriority: medium +--- + + +1. Sign in to the [Azure portal](https://portal.azure.com). +1. Select **Subscriptions**. If you don't see **Subscriptions**, type **Subscriptions** in the search bar. As you begin typing, the list filters based on your input. +1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. +1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. +1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. +1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. \ No newline at end of file diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md new file mode 100644 index 0000000000..f90bc995e6 --- /dev/null +++ b/windows/deployment/do/includes/mcc-prerequisites.md @@ -0,0 +1,17 @@ +--- +author: amyzhou +ms.author: amyzhou +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 11/09/2022 +ms.localizationpriority: medium +--- + + +Peak Egress | Hardware Specifications| +---|---| +< 5G Peak | VM with 8 cores, 16 GB memory, 1 SSD Drive 500GB| +10 - 20G Peak | VM with 16 cores, 32 GB memory, 2 - 3 SSD Drives 1 TB| +20 - 40G Peak | Hardware (sample hardware spec) with 32 cores, 64 GB memory, 4 - 6 SSDs 1 TB | \ No newline at end of file diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index c9373755d6..654cd9f309 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -6,12 +6,10 @@ summary: Set up peer to peer downloads for Windows Updates and learn about Micro metadata: title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about using peer to peer downloads on Windows clients and learn about Microsoft Connected Cache. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-updates ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz @@ -69,8 +67,8 @@ landingContent: linkLists: - linkListType: deploy links: - - text: MCC for Enterprise and Education (Private Preview) - url: mcc-enterprise.md + - text: MCC for Enterprise and Education (early preview) + url: waas-microsoft-connected-cache.md - text: Sign up url: https://aka.ms/MSConnectedCacheSignup @@ -79,10 +77,13 @@ landingContent: linkLists: - linkListType: deploy links: - - text: MCC for ISPs (Private Preview) - url: mcc-isp.md + - text: MCC for ISPs (public preview) + url: mcc-isp-signup.md - text: Sign up - url: https://aka.ms/MSConnectedCacheSignup + url: https://aka.ms/MCCForISPSurvey + - text: MCC for ISPs (early preview) + url: mcc-isp.md + # Card (optional) - title: Resources diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md new file mode 100644 index 0000000000..83d2df61da --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -0,0 +1,117 @@ +--- +title: Appendix +manager: aaroncz +description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: w10 +author: amymzhou +ms.author: amyzhou +ms.localizationpriority: medium +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Appendix + +## Diagnostics Script + +If you're having issues with your MCC, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the MCC team to debug. + +To run this script: + +1. Navigate to the following folder in the MCC installation files: + + mccinstaller > Eflow > Diagnostics + +1. Run the following commands: + + ```powershell + Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process + .\collectMccDiagnostics.ps1 + ``` + +1. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file, which you can share with us. The location should be **\**\mccdiagnostics\support_bundle_\$timestamp.tar.gz + +1. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. + +## Steps to obtain an Azure Subscription ID + + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] + +## Troubleshooting + +If you're not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). + +Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). + +## IoT Edge runtime + +The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. +The runtime sits on the IoT Edge device, and performs management and +communication operations. The runtime performs several functions: + +- Installs and update workloads (Docker containers) on the device. +- Maintains Azure IoT Edge security standards on the device. +- Ensures that IoT Edge modules (Docker containers) are always running. +- Reports module (Docker containers) health to the cloud for remote monitoring. +- Manages communication between an IoT Edge device and the cloud. + +For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). + +## EFLOW + +- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) +- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) +- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) +- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) +- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) + +## Routing local Windows Clients to an MCC + +### Get the IP address of your MCC using ifconfig + +There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. + +#### Registry Key + +You can either set your MCC IP address or FQDN using: + +1. Registry Key (version 1709 and later): + `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization` +
+ "DOCacheHost"=" " + + From an elevated command prompt: + + ``` + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f + ``` + +1. MDM Path (version 1809 and later): + + `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost` + +1. In Windows (release version 1809 and later), you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. Set the **Cache Server Hostname** to the IP address of your MCC, such as `10.137.187.38`. + + :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png"::: + + +**Verify Content using the DO Client** + +To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: + +1. Download a game or application from the Microsoft Store. + + :::image type="content" source="./images/ent-mcc-store-example-download.png" alt-text="Screenshot of the Microsoft Store with the game, Angry Birds 2, selected."::: + + +1. Verify downloads came from MCC by one of two methods: + + - Using the PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see *BytesFromCacheServer*. + + :::image type="content" source="./images/ent-mcc-get-deliveryoptimizationstatus.png" alt-text="Screenshot of the output of Get-DeliveryOptimization | FT from PowerShell." lightbox="./images/ent-mcc-get-deliveryoptimizationstatus.png"::: + + - Using the Delivery Optimization Activity Monitor + + :::image type="content" source="./images/ent-mcc-delivery-optimization-activity.png" alt-text="Screenshot of the Delivery Optimization Activity Monitor."::: + diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md new file mode 100644 index 0000000000..74ef198811 --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -0,0 +1,325 @@ +--- +title: Deploying your cache node +manager: dougeby +description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node +ms.prod: w10 +author: amymzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Deploying your cache node + +**Applies to** + +- Windows 10 +- Windows 11 + +## Steps to deploy MCC + +To deploy MCC to your server: + +1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) +1. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) +1. [Create an MCC Node](#create-an-mcc-node-in-azure) +1. [Edit Cache Node Information](#edit-cache-node-information) +1. [Install MCC on a physical server or VM](#install-mcc-on-windows) +1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) +1. [Review common Issues](#common-issues) if needed. + +For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) + +### Provide Microsoft with the Azure Subscription ID + +As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. + +> [!IMPORTANT] +> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. + +For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). + +### Create the MCC resource in Azure + +The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. + +Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below. + +1. In the Azure portal home page, choose **Create a resource**: + :::image type="content" source="./images/ent-mcc-create-azure-resource.png" alt-text="Screenshot of the Azure portal. The create a resource option is outlined in red."::: + +1. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. + + > [!NOTE] + > You won't see Microsoft Connected Cache in the drop-down list. You'll need to type the string and press enter to see the result. + +1. Select **Microsoft Connected Cache Enterprise** and choose **Create** on the next screen to start the process of creating the MCC resource. + + :::image type="content" source="./images/ent-mcc-azure-search-result.png" alt-text="Screenshot of the Azure portal search results for Microsoft Connected Cache."::: + :::image type="content" source="./images/ent-mcc-azure-marketplace.png" alt-text="Screenshot of Microsoft Connected Cache Enterprise within the Azure Marketplace."::: + +1. Fill in the required fields to create the MCC resource. + + - Choose the subscription that you provided to Microsoft. + - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. + - Choose **(US) West US** for the location of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. + + > [!IMPORTANT] + > Your MCC resource will not be created properly if you do not select **(US) West US** + + - Choose a name for the MCC resource. + - Your MCC resource must not contain the word **Microsoft** in it. + + :::image type="content" source="./images/ent-mcc-azure-create-connected-cache.png" alt-text="Screenshot of the Create a Connected Cache page within the Azure Marketplace."::: + +1. Once all the information has been entered, select the **Review + Create** button. Once validation is complete, select the **Create** button to start the + resource creation. + + :::image type="content" source="./images/ent-mcc-azure-cache-created.png" alt-text="Screenshot of the completed cache deployment within the Azure." lightbox="./images/ent-mcc-azure-cache-created.png"::: + +#### Error: Validation failed + +- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. + - To resolve this error, go to the previous step and choose **(US) West US**. + + :::image type="content" source="./images/ent-mcc-create-cache-failed.png" alt-text="Screenshot of a failed cache deployment due to an incorrect location."::: + +### Create an MCC node in Azure + +Creating an MCC node is a multi-step process and the first step is to access the MCC early preview management portal. + +1. After the successful resource creation, select **Go to resource**. +1. Under **Cache Node Management** section on the leftmost panel, select **Cache Nodes**. + + :::image type="content" source="./images/ent-mcc-cache-nodes.png" alt-text="Screenshot of the Cache Node Management section with the navigation link to the Cache Nodes page outlined in red."::: + +1. On the **Cache Nodes** blade, select the **Create Cache Node** button. + + :::image type="content" source="./images/ent-mcc-create-cache-node.png" alt-text="Screenshot of the Cache Nodes page with the Create Cache Node option outlined in red."::: + +1. Selecting the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. + + | **Field Name**| **Expected Value**|**Description** | + |---|---|---| + | **Cache Node Name** | Alphanumeric name that doesn't include any spaces. | The name of the cache node. You may choose names based on location such as `Seattle-1`. This name must be unique and can't be changed later. | + +1. Enter the information for the **Cache Node** and select the **Create** button. + + :::image type="content" source="./images/ent-mcc-create-cache-node-name.png" alt-text="Screenshot of the Cache Nodes page displaying the Cache Node Name text entry during the creation process."::: + +If there are errors, the form will provide guidance on how to correct the errors. + +Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section. + +:::image type="content" source="./images/ent-mcc-connected-cache-installer-download.png" alt-text="Screenshot of the Connected Cache installer download button, installer instructions, and script."::: + +#### Edit cache node information + +Cache nodes can be deleted here by selecting the check box to the left of a **Cache Node Name** and then selecting the delete toolbar item. Be aware that if a cache node is deleted, there's no way to recover the cache node or any of the information related to the cache node. + +:::image type="content" source="./images/ent-mcc-delete-cache-node.png" alt-text="Screenshot of deleting a cache node from the Cache Nodes page."::: + +### Install MCC on Windows + +Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks: + +- Installs the Azure CLI +- Downloads, installs, and deploys EFLOW +- Enables Microsoft Update so EFLOW can stay up to date +- Creates a virtual machine +- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. +- Configures Connected Cache tuning settings. +- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. +- Deploys the MCC container to server. + +#### Run the installer + +1. Download and unzip `mccinstaller.zip` from the create cache node page or cache node configuration page, both of which contain the necessary installation files. + + :::image type="content" source="./images/ent-mcc-download-installer.png" alt-text="Screenshot of the download installer option on the Create Cache Node page."::: + + The following files are contained in the `mccinstaller.zip` file: + + - **installmcc.ps1**: Main installer file. + - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance. + - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane. + - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes. + - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version. + - **mccupdate.json**: Used as part of the update script + +1. Open Windows PowerShell as administrator then navigate to the location of these files. + + > [!NOTE] + > Ensure that Hyper-V is enabled on your device. + > - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) + > - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)' + > + > Don't use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported. + +#### If you're installing MCC on a local virtual machine + +1. Turn the virtual machine **off** while you enable nested virtualization and MAC spoofing. + 1. Enable nested virtualization: + + ```powershell + Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true + ``` + + 1. Enable MAC spoofing: + + ```powershell + Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On + ``` + +1. Set the execution policy. + + ```powershell + Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process + ``` + + > [!NOTE] + > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**. + +1. Copy the command from the Azure portal and run it in Windows PowerShell. + + :::image type="content" source="./images/ent-mcc-installer-script.png" alt-text="Screenshot of the installer script for the connected cache node."::: + + > [!NOTE] + > After running the command, and multiple times throughout the installation process, you'll receive the following notice. Select **[R] Run once** to proceed. + >
+ >
Security warning + >
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Users\mccinstaller\Eflow\installmcc.ps1? + >
+ >
[D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"): + +1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch. + + > [!NOTE] + > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted. + + If you restarted your computer after creating a switch, start from Step 2 above and skip step 5. + + :::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png"::: + +1. Rerun the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created. + + :::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png"::: + +1. Decide whether you would like to use dynamic or static address for the Eflow VM + + :::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png"::: + + > [!NOTE] + > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts. + +1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts. + +1. Follow the Azure Device Login link and sign into the Azure portal. + + :::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png"::: + +1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. + + 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** + + :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png"::: + :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png"::: + + +1. Your MCC deployment is now complete. + + 1. If you don't see any errors, continue to the next section to validate your MCC deployment. + 1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC. + 1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article. + +## Verify proper functioning MCC server + +#### Verify Client Side + +Connect to the EFLOW VM and check if MCC is properly running: + +1. Open PowerShell as an Administrator. +2. Enter the following commands: + + ```powershell + Connect-EflowVm + sudo -s + iotedge list + ``` + + :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png"::: + +You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. + +#### Verify server side + +For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. + +```powershell +wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] +``` + +A successful test result will display a status code of 200 along with additional information. + +:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png"::: + + :::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png"::: + +Similarly, enter the following URL from a browser in the network: + +`http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com` + +If the test fails, see the [common issues](#common-issues) section for more information. + +### Intune (or other management software) configuration for MCC + +For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN: + +:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names."::: + +## Common Issues + +#### PowerShell issues + +If you're seeing errors similar to this error: `The term Get- isn't recognized as the name of a cmdlet, function, script file, or operable program.` + +1. Ensure you're running Windows PowerShell version 5.x. + +1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*. + +1. Ensure you have Hyper-V enabled: + + **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) + + **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) + +#### Verify Running MCC Container + +Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: + +```bash +Connect-EflowVm +sudo iotedge list +``` + +:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: + +If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command: + +```bash +sudo journalctl -u iotedge -f +``` + +For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start. + +:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: + +Use this command to check the IoT Edge Journal + +```bash +sudo journalctl -u iotedge -f +``` + +> [!NOTE] +> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md new file mode 100644 index 0000000000..705448742b --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -0,0 +1,53 @@ +--- +title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education +manager: dougeby +description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: w10 +author: amymzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview) + +**Applies to** + +- Windows 10 +- Windows 11 + +## Enterprise requirements for MCC + +1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services. + + Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). + + The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions. + +2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. + + **EFLOW Requires Hyper-V support** + - On Windows client, enable the Hyper-V feature + - On Windows Server, install the Hyper-V role and create a default network switch + + Disk recommendations: + - Using an SSD is recommended as cache read speed of SSD is superior to HDD + + NIC requirements: + - Multiple NICs on a single MCC instance aren't supported. + - 1 Gbps NIC is the minimum speed recommended but any NIC is supported. + - For best performance, NIC and BIOS should support SR-IOV + + VM networking: + - An external virtual switch to support outbound and inbound network communication (created during the installation process) + +## Sizing recommendations + +| Component | Branch Office / Small Enterprise | Large Enterprise | +| -- | --- | --- | +| OS| Windows Server 2019*/2022
Windows 10*/11 (Pro or Enterprise) with Hyper-V Support

* Windows 10 and Windows Server 2019 build 17763 or later | Same | +|NIC | 1 Gbps | 5 Gbps | +|Disk | SSD
1 drive
50 GB each |SSD
1 drive
200 GB each | +|Memory | 4 GB | 8 GB | +|Cores | 4 | 8 | diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md new file mode 100644 index 0000000000..60d0df68e3 --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md @@ -0,0 +1,45 @@ +--- +title: Update or uninstall Microsoft Connected Cache for Enterprise and Education +manager: dougeby +description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: w10 +author: amymzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- +# Update or uninstall Microsoft Connected Cache for Enterprise and Education + +Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update. + +## Update MCC + +Run the following command with the **arguments** we provided in the email to update your MCC: + +```powershell +# .\updatemcc.ps1 version="**\**" tenantid="**\**" customerid="**\**" cachenodeid="**\**" customerkey="**\**" +``` + +For example: + +```powershell +# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a" +``` + +## Uninstall MCC + +Please contact the MCC Team before uninstalling to let us know if you're facing issues. + +This script will remove the following items: + +1. EFLOW + Linux VM +1. IoT Edge +1. Edge Agent +1. Edge Hub +1. MCC +1. Moby CLI +1. Moby Engine + +To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT +Edge LTS \> Uninstall diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md deleted file mode 100644 index 2063ed9e6c..0000000000 --- a/windows/deployment/do/mcc-enterprise.md +++ /dev/null @@ -1,545 +0,0 @@ ---- -title: Microsoft Connected Cache for Enterprise and Education (private preview) -manager: dougeby -description: Details on Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: windows-client -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.technology: itpro-updates ---- - -# Microsoft Connected Cache for Enterprise and Education (private preview) - -**Applies to** - -- Windows 10 -- Windows 11 - -## Overview - -> [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). - -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying a client policy using your management tool, such as [Intune](/mem/intune/). - -MCC is a hybrid (a mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module; it's a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it's a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. - -Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container, deployment, and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs the following important functions to manage MCC on your edge device: - -1. Installs and updates MCC on your edge device. -2. Maintains Azure IoT Edge security standards on your edge device. -3. Ensures that MCC is always running. -4. Reports MCC health and usage to the cloud for remote monitoring. - -To deploy a functional MCC to your device, you must obtain the necessary keys that will provision the Connected Cache instance to communicate with Delivery Optimization services and enable the device to cache and deliver content. See [figure 1](#fig1) below for a summary of the architecture of MCC, built using IoT Edge. - -For more information about Azure IoT Edge, see [What is Azure IoT Edge](/azure/iot-edge/about-iot-edge). - -## How MCC works - -The following steps describe how MCC is provisioned and used. - -1. The Azure Management Portal is used to create MCC nodes. -2. The MCC container is deployed and provisioned to a server using the installer provided in the portal. -3. Client policy is configured in your management solution to point to the IP address or FQDN of the cache server. -4. Microsoft end-user devices make range requests for content from the MCC node. -5. An MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers content to the client. -6. Subsequent requests from end-user devices for content come from the cache. - -If an MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. - - - -![eMCC img01](images/emcc01.png) - -Figure 1: **MCC processes**. Each number in the diagram corresponds to the steps described above. - - -## Enterprise requirements for MCC - -1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services. - - Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you do not have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). - - The resources used for the preview and in the future when this product is ready for production will be completely free to you, like other caching solutions. - -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. - - **EFLOW Requires Hyper-V support** - - On Windows client, enable the Hyper-V feature - - On Windows Server, install the Hyper-V role and create a default network switch - - Disk recommendations: - - Using an SSD is recommended as cache read speed of SSD is superior to HDD - - NIC requirements: - - Multiple NICs on a single MCC instance aren't supported. - - 1 Gbps NIC is the minimum speed recommended but any NIC is supported. - - For best performance, NIC and BIOS should support SR-IOV - - VM networking: - - An external virtual switch to support outbound and inbound network communication (created during the installation process) - -### Sizing recommendations - -| Component | Branch Office / Small Enterprise | Large Enterprise | -| -- | --- | --- | -| OS| Windows Server 2019*/2022
Windows 10*/11 (Pro or Enterprise) with Hyper-V Support

* Windows 10 and Windows Server 2019 build 17763 or later | Same | -|NIC | 1 Gbps | 5 Gbps | -|Disk | SSD
1 drive
50GB each |SSD
1 drive
200GB each | -|Memory | 4GB | 8GB | -|Cores | 4 | 8 | - -## Steps to deploy MCC - -To deploy MCC to your server: - -1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) -2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create an MCC Node](#create-an-mcc-node-in-azure) -4. [Edit Cache Node Information](#edit-cache-node-information) -5. [Install MCC on a physical server or VM](#install-mcc-on-windows) -6. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) -7. [Review common Issues](#common-issues) if needed. - -For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) - -### Provide Microsoft with the Azure Subscription ID - -As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. - -> [!IMPORTANT] -> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. - -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id). - -### Create the MCC resource in Azure - -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. - -Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you will be given a link to the Azure portal where you can create the resource described below. - -1. On the Azure portal home page, choose **Create a resource**: - ![eMCC img02](images/emcc02.png) - -2. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. - -> [!NOTE] -> You'll not see Microsoft Connected Cache in the drop-down list. You need to type it and press enter to see the result. - -3. Select **Microsoft Connected Cache** and choose **Create** on the next screen to start the process of creating the MCC resource. - - ![eMCC img03](images/emcc03.png) - ![eMCC img04](images/emcc04.png) - -4. Fill in the required fields to create the MCC resource. - - - Choose the subscription that you provided to Microsoft. - - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. - - Choose **(US) West US** for the location of the resource. This choice will not impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. - - > [!NOTE] - > Your MCC resource will not be created properly if you do not select **(US) West US** - - - Choose a name for the MCC resource. - - > [!NOTE] - > Your MCC resource must not contain the word **Microsoft** in it. - - ![eMCC img05](images/emcc05.png) - -5. Once all the information has been entered, click the **Review + Create** button. Once validation is complete, click the **Create** button to start the - resource creation. - - ![eMCC img06](images/emcc06.png) - -#### Error: Validation failed - -- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. -- To resolve this error, go to the previous step and choose **(US) West US**. - - ![eMCC img07](images/emcc07.png) - -### Create an MCC node in Azure - -Creating an MCC node is a multi-step process and the first step is to access the MCC private preview management portal. - -1. After the successful resource creation click on the **Go to resource**. -2. Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**. - - ![eMCC img08](images/emcc08.png) - -3. On the **Cache Nodes** blade, click on the **Create Cache Node** button. - - ![eMCC img09](images/emcc09.png) - -4. Clicking the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. - -| **Field Name** | **Expected Value** | **Description** | -|---------------------|--------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------| -| **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and cannot be changed later. | - -5. Enter the information for the **Cache Node** and click the **Create** button. - -![eMCC img9.5](images/emcc09.5.png) - -If there are errors, the form will provide guidance on how to correct the errors. - -Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section. - -![eMCC img10](images/emcc10.png) - -#### Edit cache node information - -Cache nodes can be deleted here by clicking the check box to the left of a **Cache Node Name** and then clicking the delete toolbar item. Be aware that if a cache node is deleted, there is no way to recover the cache node or any of the information related to the cache node. - -![eMCC img11](images/emcc11.png) - -### Install MCC on Windows - -Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks: - - - Installs the Azure CLI - - Downloads, installs, and deploys EFLOW - - Enables Microsoft Update so EFLOW can stay up to date - - Creates a virtual machine - - Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. - - Configures Connected Cache tuning settings. - - Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. - - Deploys the MCC container to server. - -#### Run the installer - -1. Download and unzip mccinstaller.zip from the create cache node page or cache node configuration page which contains the necessary installation files. - - ![eMCC img12](images/emcc12.png) - -Files contained in the mccinstaller.zip file: - - - **installmcc.ps1**: Main installer file. - - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance. - - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane. - - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes. - - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version. - - **mccupdate.json**: Used as part of the update script - -1. Open Windows PowerShell as administrator and navigate to the location of these files. - -> [!NOTE] -> Ensure that Hyper-V is enabled on your device. -> Do not use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported. - - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) - -#### If you're installing MCC on a local virtual machine: - -1. Enable Nested Virtualization - - ```powershell - Set-VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true - ``` -2. Enable Mac Spoofing - ```powershell - Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On - ``` - **Virtual machine should be in the OFF state while enabling Nested Virtualization and Mac Spoofing** - -3. Set the execution policy - - ```powershell - Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process - ``` - > [!NOTE] - > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**. - -4. Copy the command from the portal and run it in Windows PowerShell - - ![eMCC img13](images/emcc13.png) - - > [!NOTE] - > After running the command, and multiple times throughout the installation process, you'll receive the following notice. **Please select [R] Run once to proceed**. - >
- >
Security warning - >
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\\Users\\mccinstaller\\Eflow\\installmcc.ps1? - >
- >
[D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"): - -3. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch. - - > [!NOTE] - > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted. - - If you restarted your computer after creating a switch, start from Step 2 above and skip step 5. - - ![eMCC img14](images/emcc14.png) - -4. Re-run the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created. - - ![eMCC img15](images/emcc15.png) - -5. Decide whether you would like to use dynamic or static address for the Eflow VM - - ![eMCC img16](images/emcc16.png) - - > [!NOTE] - > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. - >
A static IP address is recommended so you do not have to change this value in your management solution when MCC restarts. - -6. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and cores you would like to allocate for the VM. In this example, we chose the default values for all prompts. - -7. Follow the Azure Device Login link and sign into the Azure portal. - - ![eMCC img17](images/emcc17.png) - -8. If this is your first MCC deployment, please select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. - - 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription; Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter “1”** - - ![eMCC img18](images/emcc18.png) - ![eMCC img19](images/emcc19.png) - -9. Your MCC deployment is now complete. - - 1. If you do not see any errors, please continue to the next section to validate your MCC deployment. - 2. After validating your MCC is properly functional, please review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC. - 3. If you had errors during your deployment, see the [Troubleshooting](#troubleshooting) section in this article. - -### Verify proper functioning MCC server - -#### Verify Client Side - -Connect to the EFLOW VM and check if MCC is properly running: - -1. Open PowerShell as an Administrator -2. Enter the following commands: - -```powershell -Connect-EflowVm -sudo -s -iotedge list -``` - -![eMCC img20](images/emcc20.png) - -You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, please try this command in a few minutes. The MCC container can take a few minutes to deploy - -#### Verify server side - -For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. - -```powershell -wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] -``` - -A successful test result will look like this: - -![eMCC img21](images/emcc21.png) - -OR - -![eMCC img22](images/emcc22.png) - -Similarly, enter this URL from a browser in the network: - -[http://YourCacheServerIP/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]() - -If the test fails, see the common issues section for more information. - -### Intune (or other management software) configuration for MCC - -For an Intune deployment, create a Configuration Profile and include the Cache Host eFlow IP Address or FQDN: - -![eMCC img23](images/emcc23.png) - -### Common Issues - -#### PowerShell issues - -If you're seeing errors similar to this: “The term ‘Get-Something’ isn't recognized as the name of a cmdlet, function, script file, or operable program.” - -1. Ensure you're running Windows PowerShell version 5.x. - -2. Run \$PSVersionTable and ensure you’re running version 5.x and *not version 6 or 7*. - -3. Ensure you have Hyper-V enabled: - - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) - -#### Verify Running MCC Container - -Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: - -```bash -Connect-EflowVm -sudo iotedge list​ -``` - -![eMCC img24](images/emcc24.png) - -If edgeAgent and edgeHub containers are listed, but not “MCC”, you may view the status of the IoT Edge security manager using the command: - -```bash -sudo journalctl -u iotedge -f -``` - -For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start as is shown in the sample below: - -![eMCC img25](images/emcc25.png) - -Use this command to check the IoT Edge Journal - -```bash -sudo journalctl -u iotedge –f -``` - -Please note: You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we have listed a few issues below that we hit during our internal validation. - -## Diagnostics Script - -If you're having issues with your MCC, we included a diagnostics script which will collect all your logs and zip them into a single file. You can then send us these logs via email for the MCC team to debug. - -To run this script: - -1. Navigate to the following folder in the MCC installation files: - - mccinstaller \> Eflow \> Diagnostics - -2. Run the following commands: - -```powershell -Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -.\collectMccDiagnostics.ps1 -``` - -3. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file which you can share with us (should be “**\**\\mccdiagnostics\\support_bundle_\$timestamp.tar.gz”) - -4. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. - -## Update MCC - -Throughout the private preview phase, we will send you security and feature updates for MCC. Please follow these steps to perform the update. - -Run the following command with the **arguments** we provided in the email to update your MCC: - -```powershell -# .\updatemcc.ps1 version="**\**" tenantid="**\**" customerid="**\**" cachenodeid="**\**" customerkey="**\**" -``` -For example: -```powershell -# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a” -``` - -## Uninstall MCC - -Please contact the MCC Team before uninstalling to let us know if you're facing -issues. - -This script will remove the following: - -1. EFLOW + Linux VM -2. IoT Edge -3. Edge Agent -4. Edge Hub -5. MCC -6. Moby CLI -7. Moby Engine - -To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT -Edge LTS \> Uninstall - -## Appendix - -### Steps to obtain an Azure Subscription ID - -1. Sign in to https://portal.azure.com/ and navigate to the Azure services section. -2. Click on **Subscriptions**. If you do not see **Subscriptions**, click on the **More Services** arrow and search for **Subscriptions**. -3. If you already have an Azure Subscription, skip to step 5. If you do not have an Azure Subscription, select **+ Add** on the top left. -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. -5. On the **Subscriptions** blade, you'll find details about your current subscription. Click on the subscription name. -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Click on the **Copy to clipboard** icon next to your Subscription ID to copy the value. - -### Troubleshooting - -If you’re not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). - -Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). - -### IoT Edge runtime - -The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. -The runtime sits on the IoT Edge device, and performs management and -communication operations. The runtime performs several functions: - -- Installs and update workloads (Docker containers) on the device. -- Maintains Azure IoT Edge security standards on the device. -- Ensures that IoT Edge modules (Docker containers) are always running. -- Reports module (Docker containers) health to the cloud for remote monitoring. -- Manages communication between an IoT Edge device and the cloud. - -For more information on Azure IoT Edge, please see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). - -### EFLOW - -- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) -- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) -- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) -- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) -- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) - -### Routing local Windows Clients to an MCC - -#### Get the IP address of your MCC using ifconfig - -There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. - -##### Registry Key - -You can either set your MCC IP address or FQDN using: - -1. Registry Key in 1709 and higher - - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]
- "DOCacheHost"=" " - - From an elevated command prompt: - - ``` - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f - ``` - -2. MDM Path in 1809 or higher: - - .Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost - -3. In Windows release version 1809 and later, you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, set the Cache Server Hostname (Setting found under Computer Configuration, Administrative Templates, Windows Components, Delivery Optimization) to the IP address of your MCC. For example 10.137.187.38. - - ![eMCC img26](images/emcc26.png) - -**Verify Content using the DO Client** - -To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: - -1. Download a game or application from the Microsoft Store. - - ![eMCC img27](images/emcc27.png) - -2. Verify downloads came from MCC by one of two methods: - - - Using PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see BytesFromCacheServer test - - ![eMCC img28](images/emcc28.png) - - - Looking at the Delivery Optimization Activity Monitor - - ![eMCC img29](images/emcc29.png) - -## Also see - -[Microsoft Connected Cache for ISPs](mcc-isp.md)
-[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md new file mode 100644 index 0000000000..ae5404b2ae --- /dev/null +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -0,0 +1,43 @@ +--- +title: Cache node configuration +manager: aaroncz +description: Configuring a cache node on Azure portal +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Cache node configuration + +All cache node configuration will take place within Azure portal. This article outlines all of the settings that you'll be able to configure. + +## Settings + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | +| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. | +| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.| +| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. | + +## Storage + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: /dev/folder/ | +| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | + +## Client routing + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 | +| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. | +| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. | + diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md new file mode 100644 index 0000000000..e41c225b67 --- /dev/null +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -0,0 +1,148 @@ +--- +title: Create, provision, and deploy the cache node in Azure portal +manager: aaroncz +description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Create, Configure, provision, and deploy the cache node in Azure portal + +**Applies to** + +- Windows 10 +- Windows 11 + +This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node will require downloading an installer script that will be run on your cache server. + +> [!IMPORTANT] +> Before you can create your Microsoft Connected Cache, you will need to complete the [sign up process](mcc-isp-signup.md). You cannot proceed without signing up for our service. + +## Create cache node + +1. Open [Azure portal](https://www.portal.azure.com) and navigate to the **Microsoft Connected Cache** resource. + +1. Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**. + +1. Provide a name for your cache node and select **Create** to create your cache node. + +## Configure cache node + +During the configuration of your cache node, there are many fields for you to configure your cache node. To learn more about the definitions of each field, review the [Configuration fields](#general-configuration-fields) at the bottom of this article. + +### Client routing + +Before serving traffic to your customers, client routing configuration is needed. During the configuration of your cache node in Azure portal, you'll be able to route your clients to your cache node. + +Microsoft Connected Cache offers two ways for you to route your clients to your cache node. The first method of manual entry involves uploading a comma-separated list of CIDR blocks that represents the clients. The second method of setting BGP (Border Gateway Protocol) is more automatic and dynamic, which is set up by establishing neighborships with other ASNs. All routing methods are set up within Azure portal. + +Once client routing and other settings are configured, your cache node will be able to download content and serve traffic to your customers. + +At this time, only IPv4 addresses are supported. IPv6 addresses aren't supported. + +#### Manual routing + +You can manually upload a list of your CIDR blocks in Azure portal to enable manual routing of your customers to your cache node. + +#### BGP routing + +BGP (Border Gateway Protocol) routing is another method offered for client routing. BGP dynamically retrieves CIDR ranges by exchanging information with routers to understand reachable networks. For an automatic method of routing traffic, you can choose to configure BGP routing in Azure portal. + +1. Navigate to **Settings** > **Cache nodes**. Select the cache node you wish to provision. + + :::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: + +1. Enter the max allowable egress that your hardware can support. + +1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes. +**Note:** Up to nine cache drives are supported. + +1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). + + - If you choose **Manual routing**, enter your address range/CIDR blocks. + - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. + > [!NOTE] + > **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established. + +## Deploy cache node software to server + +Once the user executes the cache server provisioning script, resources are created behind the scenes resulting in the successful cache node installation. The script takes the input of different IDs outlined below to register the server as an Azure IoT Edge device. Even though Microsoft Connected Cache scenario isn't related to IoT, Azure IoT Edge is installed for container management and communication operation purposes. + +### Components installed during provisioning + +#### IoT Edge + +IoT Edge performs several functions important to manage MCC on your edge device: + +1. Installs and updates MCC on your edge device. +1. Maintains Azure IoT Edge security standards on your edge device. +1. Ensures that MCC is always running. +1. Reports MCC health and usage to the cloud for remote monitoring. + +#### Docker container engine + +Azure IoT Edge relies on an OCI-compatible container runtime. The Moby engine is the only container engine officially supported with IoT Edge and is installed as part of the server provisioning process. + +### Components of the device provisioning script + +There are five IDs that the device provisioning script takes as input in order to successfully provision and install your cache server. The provisioning script will automatically include these keys, with no input necessary from the user. + +| ID | Description | +|---|---| +| Customer ID | A unique alphanumeric ID that the cache nodes are associated with. | +| Cache node ID | The unique alphanumeric ID of the cache node being provisioned. | +| Customer Key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. | +| Cache node name | The name of the cache node. | +| Tenant ID | The unique ID associated with the Azure account. | + +:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal."::: + +1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server. + +1. Open a terminal window in the directory where you would like to deploy your cache node and run the following command to change the access permission to the Bash script: + + ```bash + sudo chmod +x provisionmcc.sh + ``` + +1. Copy and paste the script command line shown in the Azure portal. + +1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). + + > [!NOTE] + > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. + +### General configuration fields + +| Field Name | Expected Value| Description | +|---|---|---| +| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | +| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. | +| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.| +| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. | + +### Storage fields + +> [!IMPORTANT] +> All cache drives must have read/write permissions set or the cache node will not function. +> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive` + +| Field Name | Expected Value| Description | +|---|---|---| +| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. | +| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | + +### Client routing fields + +| Field Name | Expected Value| Description | +|---|---|---| +| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 | +| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. | +| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. | diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml new file mode 100644 index 0000000000..19f6da7226 --- /dev/null +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -0,0 +1,83 @@ +### YamlMime:FAQ +metadata: + title: Microsoft Connected Cache Frequently Asked Questions + description: The following article is a list of frequently asked questions for Microsoft Connected Cache. + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: amymzhou + ms.author: amymzhou + manager: aaroncz + audience: ITPro + ms.collection: + - M365-security-compliance + - highpri + ms.topic: faq + ms.date: 09/30/2022 + ms.custom: seo-marvel-apr2020 +title: Microsoft Connected Cache Frequently Asked Questions +summary: | + **Applies to** + - Windows 10 + - Windows 11 + +sections: + - name: Ignored + questions: + - question: Is this product a free service? + answer: Yes. Microsoft Connected Cache is a free service. + - question: What will Microsoft Connected Cache do for me? How will it impact our customers? + answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs. + - question: Is there a non-disclosure agreement to sign? + answer: No, a non-disclosure agreement isn't required. + - question: What are the prerequisites and hardware requirements? + answer: | + - Azure subscription + - Hardware to host Microsoft Connected Cache: + + + [!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)] + + We have one customer who is able to achieve 40-Gbps egress rate using the following hardware specification: + - Dell PowerEdge R330 + - 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core + - 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s + - 4 - Transcend SSD230s 1 TB SATA Drives + Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + - question: Will I need to provide hardware BareMetal server or VM? + answer: Microsoft Connected Cache is a software-only caching solution and will require you to provide your own server to host the software. + - question: Can we use hard drives instead of SSDs? + answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance. + - question: Will I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node? + answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Cache(s), you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes. + - question: Should I add any load balancing mechanism? + answer: You don't need to add any load balancing. Our service will take care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node. + - question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries? + answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries, you can set up separate cache nodes per country. + - question: Where should we install Microsoft Connected Cache? + answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters. + - question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache? + answer: Once a request for said content is made, NGINX will look at the cache control headers from the original acquisition. If that content has expired, NGINX will continue to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used. + - question: What content is cached by Microsoft Connected Cache? + answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md). + - question: Does Microsoft Connected Cache support Xbox or Teams content? + answer: Currently, Microsoft Connected Cache doesn't support Xbox or Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available! + - question: Is IPv6 supported? + answer: No, we don't currently support IPV6. We plan to support it in the future. + - question: Is Microsoft Connected Cache stable and reliable? + answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. + - question: How does Microsoft Connected Cache populate its content? + answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. + - question: What do I do if I need more support and have more questions even after reading this FAQ page? + answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). + - question: What CDNs will Microsoft Connected Cache pull content from? + answer: | + Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time: + + $ dig +noall +answer tlu.dl.delivery.mp.microsoft.com | grep -P "IN\tA" + + c-0001.c-msedge.net. 20 IN A 13.107.4.50 + + $ whois 13.107.4.50|grep "Organization:" + + Organization: Microsoft Corporation (MSFT) diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md new file mode 100644 index 0000000000..352d4402b4 --- /dev/null +++ b/windows/deployment/do/mcc-isp-signup.md @@ -0,0 +1,86 @@ +--- +title: Operator sign up and service onboarding +manager: aaroncz +description: Service onboarding for Microsoft Connected Cache for ISP +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Operator sign up and service onboarding for Microsoft Connected Cache + +**Applies to** + +- Windows 10 +- Windows 11 + +This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview). + +## Resource creation and sign up process + +1. Navigate to the [Azure portal](https://www.portal.azure.com). In the top search bar, search for **Microsoft Connected Cache**. + + :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace."::: + +1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource. + + > [!IMPORTANT] + > After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information. +1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for. + + :::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png"::: + +1. Once we verify the information entered, a verification code will be sent to the NOC email address provided on [Peering DB](https://www.peeringdb.com/). Once you receive the email, navigate to your Azure portal > **Microsoft Connected Cache** > **Settings** > **Verify operator**, and enter the verification code sent to the NOC email address. + + > [!NOTE] + > Verification codes expire in 24 hours. You will need to generate a new code if it expires. + + :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + +1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node. + + + +### Cache performance + +To make sure you're maximizing the performance of your cache node, review the following information: + +#### OS requirements + +The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. + +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. + +#### Drive performance + +The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. + +RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. + +### Hardware configuration example + +There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: + +**Dell PowerEdge R330** + +- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core +- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s +- 4 - Transcend SSD230s 1 TB SATA Drives +- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + +### Virtual machines + +Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance. \ No newline at end of file diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md new file mode 100644 index 0000000000..a321ac671c --- /dev/null +++ b/windows/deployment/do/mcc-isp-support.md @@ -0,0 +1,51 @@ +--- +title: Support and troubleshooting +manager: aaroncz +description: Troubleshooting issues for Microsoft Connected Cache for ISP +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: reference +--- + +# Support and troubleshooting + +**Applies to** + +- Windows 10 +- Windows 11 + +This article provides information on how to troubleshoot common issues with Microsoft Connected Cache for ISPs. +## Sign up errors + +### Cannot verify account + +During sign-up, we verify the information you provide against what is present in [Peering DB](https://www.peeringdb.com/). Make sure the information for your ISP entry on [Peering DB](https://www.peeringdb.com/) is up to date and matches what you provide during sign-up. + +### Invalid verification code + +During sign-up, a verification code is sent to your NOC email address present in [Peering DB](https://www.peeringdb.com/). This code expires in 24 hours. If it's expired, you'll need to request a new verification code to complete the sign-up. + +## Cache Node Errors + +### Cannot find my cache node + +Did you previously had access to your cache nodes but it's now no longer accessible? If so, it may be because you had a trial subscription, and its trial period ended. To resolve this issue, complete the following two steps: + +1. Create a new Azure Pay-As-You-Go subscription +1. Recreate the cache nodes using the new subscription + +## Steps to obtain an Azure subscription ID + + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] + +## Recommended resources + +- [Pay-as-you-go-subscription](https://azure.microsoft.com/offers/ms-azr-0003p/) +- [Azure free account FAQs](https://azure.microsoft.com/free/free-account-faq/) + diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md new file mode 100644 index 0000000000..c6bdfe27c8 --- /dev/null +++ b/windows/deployment/do/mcc-isp-update.md @@ -0,0 +1,58 @@ +--- +title: Update or uninstall your cache node +manager: aaroncz +description: How to update or uninstall your cache node +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Update or uninstall your cache node + +This article details how to update or uninstall your cache node. + +## Update cache node + +Microsoft will release updates for Microsoft Connected Cache periodically to improve performance, functionality, and security. Updates won't require any action from the customer. Instead, when an update is available, your cache node will automatically update during low traffic hours with minimal to no impact to your end customers. + +To view which version your cache nodes are currently on, navigate to the **Cache nodes** tab to view the versions in the list view. + +## Uninstall cache node + +There are two main steps required to uninstall your cache node: + +1. Remove your cache node from Azure portal +1. Run the uninstall script to cleanly remove MCC from your server + +You must complete both steps to ensure a clean uninstall of your cache node. + +### Remove your cache node from Azure portal + +Within the [Azure portal](https://www.portal.azure.com), navigate to **Cache Nodes**, then select the cache node you wish to delete. Once selected, select **Delete** on the top bar to remove this cache node from your account. + +### Run the uninstall script to cleanly remove Microsoft Connected Cache from your server + +In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls Microsoft Connected Cache and all the related components. Only run it if you're facing issues with Microsoft Connected Cache installation. + +The **uninstallmcc.sh** script removes the following components: + +- IoT Edge +- Edge Agent +- Edge Hub +- MCC +- Moby CLI +- Moby engine + +To run the script, use the following commands: + +```bash +sudo chmod +x uninstallmcc.sh +sudo ./uninstallmcc.sh + +``` diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md new file mode 100644 index 0000000000..22f8b3de86 --- /dev/null +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -0,0 +1,80 @@ +--- +title: Verify cache node functionality and monitor health and performance +manager: aaroncz +description: How to verify the functionality of a cache node +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Verify cache node functionality and monitor health and performance + +This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes. + +## Verify functionality on Azure portal + +Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue. + +## Verify functionality on the server + +It can take a few minutes for the container to deploy after you've saved the configuration. + +To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `` with the IP address of the cache server. + +```bash +wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com +``` + +If successful, you'll see a terminal output similar to the following output: + +```bash +HTTP request sent, awaiting response... 200 OK +Length: 969710 (947K) [image/gif] +Saving to: 'wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com' + +wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com 100%[========================] +``` + +Similarly, enter the following URL into a web browser on any device on the network: + +```http +http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com +``` + +If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article. + +## Monitor cache node health and performance + +Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance. + +### Available Metrics + +Within Azure portal, you're able to build your custom charts and graphs using the following available metrics: + +| Metric name | Description | +|---|---| +| **Cache Efficiency** | Cache efficiency is defined as the total cache hit bytes divided by all bytes requested. The higher this value (0 - 100%), the more efficient the cache node is. | +| **Healthy nodes** | The number of cache nodes that are reporting as healthy| +| **Unhealthy nodes**| The number of cache nodes that are reporting as unhealthy| +| **Maximum in**| The maximum egress (in Gbps) of inbound traffic| +| **Maximum out**| The maximum egress (in Gbps) of outbound traffic| +| **Average in**| The average egress (in Gbps) of inbound traffic| +| **Average out**| The average egress (in Gbps) of outbound traffic| + +For more information about how to build your custom charts and graphs, see [Azure Monitor](/azure/azure-monitor/essentials/data-platform-metrics). + +### Monitoring your metrics + +To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal. + +:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab."::: + +You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar. + +If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured. diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md new file mode 100644 index 0000000000..6cb5ab9b45 --- /dev/null +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -0,0 +1,36 @@ +--- +title: Enhancing VM performance +manager: aaroncz +description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: reference +--- + +# Enhancing virtual machine performance + +In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings. + +## Virtual machine settings + +Change the following settings to maximize the egress in virtual environments: + +1. Enable **Single Root I/O Virtualization (SR-IOV)** in the following three locations: + + - The BIOS of the MCC virtual machine + - The network card properties of the MCC virtual machine + - The hypervisor for the MCC virtual machine + + Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. + +2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment. + +## Next steps + +[Support and troubleshooting](mcc-isp-support.md) diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 9ac74d0930..055f86b888 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -5,17 +5,17 @@ ms.prod: windows-client ms.technology: itpro-updates ms.localizationpriority: medium author: amymzhou -ms.author: aaroncz +ms.author: amyzhou ms.reviewer: carmenf -manager: dougeby +manager: aaroncz ms.collection: M365-modern-desktop ms.topic: how-to ms.date: 05/20/2022 --- -# Microsoft Connected Cache for Internet Service Providers (ISPs) +# Microsoft Connected Cache for Internet Service Providers (early preview) -_Applies to_ +*Applies to* - Windows 10 - Windows 11 @@ -23,7 +23,7 @@ _Applies to_ ## Overview > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> This document is for Microsoft Connected Cache (early preview). During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. @@ -31,15 +31,15 @@ Microsoft Connected Cache is a hybrid application, in that it's a mix of on-prem ## How MCC works -:::image type="content" source="images/imcc01.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="images/imcc01.png"::: +:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png"::: The following steps describe how MCC is provisioned and used: 1. The Azure Management Portal is used to create and manage MCC nodes. -2. A shell script is used to provision the server and deploy the MCC application. +1. A shell script is used to provision the server and deploy the MCC application. -3. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. +1. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. - The publicly accessible IPv4 address of the server is configured on the portal. @@ -50,31 +50,31 @@ The following steps describe how MCC is provisioned and used: > [!NOTE] > Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error. -4. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. +1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. -5. Microsoft clients make the range requests for content from the MCC node. +1. Microsoft clients make the range requests for content from the MCC node. -6. A MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. +1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -7. Subsequent requests from end-user devices for content will be served from cache. +1. Subsequent requests from end-user devices for content will be served from cache. -8. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. +1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. ## ISP requirements for MCC ### Azure subscription -The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are _free_ services. +The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are *free* services. > [!NOTE] > If you request Exchange or Public peering in the future, business email addresses must be used to register ASNs. Microsoft doesn't accept Gmail or other non-business email addresses. -Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). _Don't submit a trial subscription_ as you'll lose access to your Azure resources after the trial period ends. +Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). *Don't submit a trial subscription* as you'll lose access to your Azure resources after the trial period ends. The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions. > [!IMPORTANT] -> To join the Microsoft Connected Cache private preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). +> To join the Microsoft Connected Cache early preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). ### Hardware to host the MCC @@ -89,7 +89,7 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC #### NIC requirements -- Multiple NICs on a single MCC instance are supported using a _link aggregated_ configuration. +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. - 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. ### Sizing recommendations @@ -97,10 +97,10 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC. | Component | Minimum | Recommended | -| -- | --- | --- | +|---|---|---| | OS | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) | | NIC | 10 Gbps| at least 10 Gbps | -| Disk | SSD
1 drive
2 TB each |SSD
2-4 drives
at least 2 TB each | +| Disk | SSD
1 drive
2 TB each |SSD
2-4 drives
at least 2 TB each | | Memory | 8 GB | 32 GB or greater | | Cores | 4 | 8 or more | @@ -110,8 +110,8 @@ To deploy MCC: 1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id) 2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create a Cache Node](#create-a-mcc-node-in-azure) -4. [Configure Cache Node Routing](#edit-cache-node-information) +3. [Create a Cache Node](#create-an-mcc-node-in-azure) +4. [Configure Cache Node Routing](#edit-cache-node-information) 5. [Install MCC on a physical server or VM](#install-mcc) 6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server) 7. [Review common issues if needed](#common-issues) @@ -135,20 +135,20 @@ Operators who have been given access to the program will be sent a link to the A 1. Choose **Create a resource**. - :::image type="content" source="images/imcc02.png" alt-text="Select the option to 'Create a resource' in the Azure portal."::: + :::image type="content" source="./images/mcc-isp-create-resource.png" alt-text="Screenshot of the option to 'Create a resource' in the Azure portal."::: 1. Type **Microsoft Connected Cache** into the search box and press **Enter** to show the search results. 1. Select **Microsoft Connected Cache**. - :::image type="content" source="images/imcc03.png" alt-text="Search the Azure Marketplace for 'Microsoft Connected Cache'."::: + :::image type="content" source="./images/mcc-isp-search-marketplace.png" alt-text="Screenshot of searching the Azure Marketplace for 'Microsoft Connected Cache'."::: > [!IMPORTANT] - > Don't select _Connected Cache Resources_, which is different from **Microsoft Connected Cache**. + > Don't select *Connected Cache Resources*, which is different from **Microsoft Connected Cache**. 1. Select **Create** on the next screen to start the process of creating the MCC resource. - :::image type="content" source="images/imcc04.png" alt-text="Select the option to Create the Microsoft Connected Cache service."::: + :::image type="content" source="./images/mcc-isp-create.png" alt-text="Screenshot of the Create option for the Microsoft Connected Cache service."::: 1. Fill in the following required fields to create the MCC resource: @@ -163,11 +163,11 @@ Operators who have been given access to the program will be sent a link to the A - Specify a **Connected Cache Resource Name**. - :::image type="content" source="images/imcc05.png" alt-text="Enter the required information to create a Connected Cache in Azure."::: + :::image type="content" source="./images/mcc-isp-location-west.png" alt-text="Screenshot of entering the required information, including the West US location, to create a Connected Cache in Azure."::: 1. Select **Review + Create**. Once validation is complete, select **Create** to start the resource creation. - :::image type="content" source="images/imcc06.png" alt-text="'Your deployment is complete' message displaying deployment details."::: + :::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="'Screenshot of the 'Your deployment is complete' message displaying deployment details."::: #### Common Resource Creation Errors @@ -175,58 +175,55 @@ Operators who have been given access to the program will be sent a link to the A If you get the error message "Validation failed" in the Azure portal, it's likely because you selected the **Location** as **US West 2** or another unsupported location. To resolve this error, go to the previous step and choose **(US) West US** for the **Location**. -:::image type="content" source="images/imcc07.png" alt-text="'Validation failed' error message for Connected Cache in an unsupported location."::: - ##### Error: Could not create Marketplace item If you get the error message "Could not create marketplace item" in the Azure portal, use the following steps to troubleshoot: -- Make sure that you've selected **Microsoft Connected Cache** and not _Connected Cache resources_ while trying to create a MCC resource. +- Make sure that you've selected **Microsoft Connected Cache** and not *Connected Cache resources* while trying to create an MCC resource. - Make sure that you're using the same subscription that you provided to Microsoft and you have privileges to create an Azure resource. - If the issue persists, clear your browser cache and start in a new window. -### Create a MCC node in Azure +### Create an MCC node in Azure 1. After you successfully create the resource, select **Go to resource**. 1. Under the **Cache Node Management** section in the left panel, select **Cache Nodes**. - :::image type="content" source="images/imcc08.png" alt-text="The 'Cache Nodes' option in the Cache Node Management menu section."::: + :::image type="content" source="./images/mcc-isp-cache-nodes-option.png" alt-text="Screenshot of the 'Cache Nodes' option in the Cache Node Management menu section."::: 1. On the **Cache Nodes** section, select **Create Cache Node**. - :::image type="content" source="images/imcc09.png" alt-text="Select the 'Create Cache Node' option."::: + :::image type="content" source="./images/mcc-isp-create-cache-node-option.png" alt-text="Screenshot of the selecting the 'Create Cache Node' option."::: 1. This action opens the **Create Cache Node** page. The only required fields are **Cache Node Name** and **Max Allowable Egress (Mbps)**. | Field name | Expected value | Description | |--|--|--| | **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | - | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. _The IP address must be publicly accessible._ | + | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. *The IP address must be publicly accessible.* | | **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, `10,000` Mbps. | | **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` | - | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. | + | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. | - :::image type="content" source="images/imcc10.png" alt-text="Available fields on the Create Cache Node page."::: + :::image type="content" source="./images/mcc-isp-create-cache-node-fields.png" alt-text="Screenshot of the available fields on the Create Cache Node page."::: > [!TIP] > The information icon next to each field provides a description. > - > :::image type="content" source="images/imcc11.png" alt-text="Create Cache Node page showing the description for the Server IP Address field."::: + > :::image type="content" source="./images/mcc-isp-node-server-ip.png" alt-text="Screenshot of the Create Cache Node page showing the description for the Server IP Address field."::: - > [!NOTE] - > After you create the cache node, if you return to this page, it populates the values for the two read-only fields: - > - > | Field name | Description | - > |--|--| - > | **IP Space** | Number of IP addresses that will be routed to your cache server. | - > | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | + After you create the cache node, if you return to this page, it populates the values for the two read-only fields: + + | Field name | Description | + |--|--| + | **IP Space** | Number of IP addresses that will be routed to your cache server. | + | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | 1. Enter the information to create the cache node, and then select **Create**. - :::image type="content" source="images/imcc12.png" alt-text="Select 'Create' on the Create Cache Node page."::: + :::image type="content" source="./images/mcc-isp-create-new-node.png" alt-text="Screenshot of selecting 'Create' on the Create Cache Node page."::: If there are errors, the page gives you guidance on how to correct the errors. For example: @@ -236,11 +233,11 @@ If there are errors, the page gives you guidance on how to correct the errors. F See the following example with all information entered: -:::image type="content" source="images/imcc13.png" alt-text="Create Cache Node page with all information entered."::: +:::image type="content" source="./images/mcc-isp-create-node-form.png" alt-text="Screenshot of the Create Cache Node page with all information entered."::: Once you create the MCC node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section. -:::image type="content" source="images/imcc14.png" alt-text="Cache node successfully created with Connected Cache installer instructions."::: +:::image type="content" source="./images/mcc-isp-success-instructions.png" alt-text="Screenshot of the Cache node successfully created with Connected Cache installer instructions."::: ### IP address space approval @@ -258,15 +255,15 @@ There are three states for IP address space. MCC configuration supports BGP and If your IP address space has this status, contact Microsoft for more information. -:::image type="content" source="images/imcc15.png" alt-text="A list of cache node names with example IP address space statuses."::: +:::image type="content" source="./images/mcc-isp-node-names.png" alt-text="Screenshot of a list of cache node names with example IP address space statuses."::: ## Edit cache node information -:::image type="content" source="images/imcc16.png" alt-text="Cache Nodes list in the Azure portal."::: +:::image type="content" source="./images/mcc-isp-list-nodes.png" alt-text="Screenshot of the Cache Nodes list in the Azure portal."::: To modify the configuration for existing MCC nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node. -:::image type="content" source="images/imcc17.png" alt-text="Cache Node Configuration page, highlighting editable fields."::: +:::image type="content" source="./images/mcc-isp-node-configuration.png" alt-text="Screenshot of the Cache Node Configuration page, highlighting editable fields."::: To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node. @@ -298,7 +295,7 @@ Before you start, make sure that you have a data drive configured on your server 1. From either **Create Cache Node** or **Cache Node Configuration** pages, select **Download Installer** to download the installer file. - :::image type="content" source="images/imcc18.png" alt-text="The Create Cache Node page highlighting the Download Installer action."::: + :::image type="content" source="./images/mcc-isp-installer-download.png" alt-text="Screenshot of the Create Cache Node page highlighting the Download Installer action."::: Unzip the **mccinstaller.zip** file, which includes the following installation files and folders: @@ -322,19 +319,19 @@ Before you start, make sure that you have a data drive configured on your server 1. In the Azure portal, in the Connected Cache installer instructions, copy the cache node installer Bash script command. Run the Bash script from the terminal. - :::image type="content" source="images/imcc19.png" alt-text="Copy the cache node installer Bash script in the Connected Cache installer instructions."::: + :::image type="content" source="./images/mcc-isp-copy-install-script.png" alt-text="Screenshot of the Copy option for the cache node installer Bash script in the Connected Cache installer instructions."::: 1. Sign in to the Azure portal with a device code. - :::image type="content" source="images/imcc20.png" alt-text="Bash script prompt to sign in to the Azure portal with a device code."::: + :::image type="content" source="./images/mcc-isp-bash-device-code.png" alt-text="Screenshot of the Bash script prompt to sign in to the Azure portal with a device code." lightbox="./images/mcc-isp-bash-device-code.png"::: 1. Specify the number of drives to configure. Use an integer value less than 10. - :::image type="content" source="images/imcc22.png" alt-text="Bash script prompt to enter the number of cache drives to configure."::: + :::image type="content" source="./images/mcc-isp-bash-drive-number.png" alt-text="Screenshot of the Bash script prompt to enter the number of cache drives to configure." lightbox="./images/mcc-isp-bash-drive-number.png"::: 1. Specify the location of the cache drives. For example, `/datadrive/` - :::image type="content" source="images/imcc23.png" alt-text="Bash script prompt to enter the location for cache drive."::: + :::image type="content" source="./images/mcc-isp-bash-datadrive.png" alt-text="Screenshot of the Bash script prompt to enter the location for cache drive." lightbox="./images/mcc-isp-bash-datadrive.png"::: > [!IMPORTANT] > The script changes the permission and ownership on the cache drive to **everyone** with the command `chmod 777`. @@ -350,15 +347,15 @@ Before you start, make sure that you have a data drive configured on your server 1. Specify an integer value as the size in GB for each cache drive. The minimum is `100` GB. - :::image type="content" source="images/imcc24.png" alt-text="Bash script prompt to enter the amount of space to allocate to the cache drive."::: + :::image type="content" source="./images/mcc-isp-bash-allocate-space.png" alt-text="Screenshot of the Bash script prompt to enter the amount of space to allocate to the cache drive." lightbox="./images/mcc-isp-bash-allocate-space.png"::: 1. Specify whether you have an existing IoT Hub. - - If this process is for your _first MCC deployment_, enter `n`. + - If this process is for your *first MCC deployment*, enter `n`. - - If you already have a MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. + - If you already have an MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. - :::image type="content" source="images/imcc25.png" alt-text="Bash script output with steps for existing IoT Hub."::: + :::image type="content" source="./images/mcc-isp-bash-iot-prompt.png" alt-text="Screenshot of the Bash script output with steps for existing IoT Hub." lightbox="./images/mcc-isp-bash-iot-prompt.png"::: 1. If you want to configure BGP, enter `y`. If you want to use manual entered prefixes for routing, enter `n` and skip to Step 16. You can always configure BGP at a later time using the Update Script. @@ -394,7 +391,7 @@ Before you start, make sure that you have a data drive configured on your server 1. To start routing using BGP, change the **Prefix Source** from **Manually Entered** to **Use BGP**. - :::image type="content" source="images/imcc55.PNG" alt-text="Cache node configuration with the Prefix Source set to Use BGP."::: + :::image type="content" source="./images/mcc-isp-use-bgp.png" alt-text="Screenshot of the Cache Node Configuration page with the Prefix Source set to Use BGP."::: 1. If there are no errors, go to the next section to verify the MCC server. @@ -415,7 +412,7 @@ Sign in to the Connected Cache server or use SSH. Run the following command from sudo iotedge list ``` -:::image type="content" source="images/imcc26.png" alt-text="Terminal output of iotedge list command, showing the running containers."::: +:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png"::: If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: @@ -425,7 +422,7 @@ sudo journalctl -u iotedge -f For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: -:::image type="content" source="images/imcc27.png" alt-text="Terminal output of journalctl command for iotedge."::: +:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png"::: ### Verify server side @@ -439,7 +436,7 @@ wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.wind The following screenshot shows a successful test result: -:::image type="content" source="images/imcc28.png" alt-text="Terminal output of successful test result with wget command to validate a MCC."::: +:::image type="content" source="./images/mcc-isp-wget.png" alt-text="Screenshot of the terminal output of successful test result with wget command to validate a Microsoft Connected Cache." lightbox="./images/mcc-isp-wget.png"::: Similarly, enter the following URL into a web browser on any device on the network: @@ -484,7 +481,7 @@ To configure the device to work with your DNS, use the following steps: nmcli device show eno1 ``` - :::image type="content" source="images/imcc30.png" alt-text="Sample output of nmcli command to show network adapter information."::: + :::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png"::: 1. Open or create the Docker configuration file used to configure the DNS server. @@ -535,7 +532,7 @@ To run the script: ## Updating your MCC -Throughout the private preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. +Throughout the early preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. Run the following commands, replacing the variables with the values provided in the email to update your MCC: @@ -553,7 +550,7 @@ sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-u ### Configure BGP on an Existing MCC -If you have a MCC that's already active and running, follow the steps below to configure BGP. +If you have an MCC that's already active and running, follow the steps below to configure BGP. 1. Run the Update commands as described above. @@ -585,20 +582,12 @@ sudo ./uninstallmcc.sh ``` ## Appendix - + ### Steps to obtain an Azure subscription ID -1. Sign in to the [Azure portal](https://portal.azure.com/) and go to the **Azure services** section. + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] -2. Select **Subscriptions**. If you don't see **Subscriptions**, select the **More Services** arrow and search for **Subscriptions**. - -3. If you already have an Azure subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. - -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you won't be charged for using the MCC service. - -5. On the **Subscriptions** section, you'll find details about your current subscription. Select the subscription name. - -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. To copy the value, select the **Copy to clipboard** icon next to your subscription ID. ### Performance of MCC in virtual environments @@ -618,7 +607,7 @@ In virtual environments, the cache server egress peaks at around 1.1 Gbps. If yo More users can be given access to manage Microsoft Connected Cache, even if they don't have an Azure account. Once you've created the first cache node in the portal, you can add other users as **Owners** of the Microsoft Connected Cache resource group and the Microsoft Connected Cache resource. -For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the _MCC resource_ and _MCC resource group_. +For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the *MCC resource* and *MCC resource group*. ### Setting up a VM on Windows Server @@ -631,93 +620,93 @@ You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an 1. Start the **New Virtual Machine Wizard** in Hyper-V. - :::image type="content" source="images/imcc31.png" alt-text="The Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-begin.png" alt-text="Screenshot of the Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: 1. Specify a name and choose a location. - :::image type="content" source="images/imcc32.png" alt-text="The Specify Name and Location page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-name.png" alt-text="Screenshot of the Specify Name and Location page in the Hyper-V New Virtual Machine Wizard."::: 1. Select **Generation 2**. You can't change this setting later. - :::image type="content" source="images/imcc33.png" alt-text="The Specify Generation page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-generation.png" alt-text="Screenshot of the Specify Generation page in the Hyper-V New Virtual Machine Wizard."::: 1. Specify the startup memory. - :::image type="content" source="images/imcc34.png" alt-text="The Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-memory.png" alt-text="Screenshot of the Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: 1. Choose the network adapter connection. - :::image type="content" source="images/imcc35.png" alt-text="The Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-networking.png" alt-text="Screenshot of the Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: 1. Set the virtual hard disk parameters. You should specify enough space for the OS and the content that will be cached. For example, `1024` GB is 1 terabyte. - :::image type="content" source="images/imcc36.png" alt-text="The Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-disk.png" alt-text="Screenshot of the Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: 1. Select **Install an OS from a bootable image file** and browse to the ISO for Ubuntu 20.04 LTS that you previously downloaded. - :::image type="content" source="images/imcc37.png" alt-text="The Installation Options page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-installation-options.png" alt-text="Screenshot of the Installation Options page of the Hyper-V New Virtual Machine Wizard."::: 1. Review the settings and select **Finish** to create the Ubuntu VM. - :::image type="content" source="images/imcc38.png" alt-text="Completing the New Virtual Machine Wizard on Hyper-V."::: + :::image type="content" source="./images/mcc-isp-hyper-v-summary.png" alt-text="Screenshot of completing the New Virtual Machine Wizard on Hyper-V."::: 1. Before you start the Ubuntu VM, disable **Secure Boot** and allocate multiple cores to the VM. 1. In Hyper-V Manager, open the **Settings** for the VM. - :::image type="content" source="images/imcc39.png" alt-text="Open Settings for a VM in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-settings.png" alt-text="Screenshot of the settings for a VM in Hyper-V Manager."::: 1. Select **Security**. Disable the option to **Enable Secure Boot**. - :::image type="content" source="images/imcc40.png" alt-text="Security page of VM settings in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-security.png" alt-text="Screenshot of the security page from VM settings in Hyper-V Manager."::: 1. Select **Processor**. Increase the number of virtual processors. This example shows `12`, but your configuration may vary. - :::image type="content" source="images/imcc41.png" alt-text="Processor page of VM settings in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-processor.png" alt-text="Screenshot of the processor page from VM settings in Hyper-V Manager."::: 1. Start the VM and select **Install Ubuntu**. - :::image type="content" source="images/imcc42.png" alt-text="GNU GRUB screen, select Install Ubuntu."::: + :::image type="content" source="./images/mcc-isp-gnu-grub.png" alt-text="Screenshot of the GNU GRUB screen, with Install Ubuntu selected."::: 1. Choose your default language. - :::image type="content" source="images/imcc43.png" alt-text="Ubuntu install, Welcome page, select language."::: + :::image type="content" source="./images/mcc-isp-ubuntu-language.png" alt-text="Screenshot of the Ubuntu install's language selection page."::: 1. Choose the options for installing updates and third party hardware. For example, download updates and install third party software drivers. 1. Select **Erase disk and install Ubuntu**. If you had a previous version of Ubuntu installed, we recommend erasing and installing Ubuntu 16.04. - :::image type="content" source="images/imcc45.png" alt-text="Ubuntu install, Installation type page, Erase disk and install Ubuntu."::: + :::image type="content" source="./images/mcc-isp-ubuntu-erase-disk.png" alt-text="Screenshot of the Ubuntu install Installation type page with the Erase disk and install Ubuntu option selected."::: Review the warning about writing changes to disk, and select **Continue**. - :::image type="content" source="images/imcc46.png" alt-text="Ubuntu install, 'Write the changes to disks' warning."::: + :::image type="content" source="./images/mcc-isp-ubuntu-write-changes.png" alt-text="Screenshot of the Ubuntu install's 'Write the changes to disks' warning."::: 1. Choose the time zone. - :::image type="content" source="images/imcc47.png" alt-text="Ubuntu install, 'Where are you page' to specify time zone."::: + :::image type="content" source="./images/mcc-isp-ubuntu-time-zone.png" alt-text="Screenshot of the Ubuntu install's 'Where are you page' to specify time zone."::: 1. Choose the keyboard layout. - :::image type="content" source="images/imcc48.png" alt-text="Ubuntu install, Keyboard layout page."::: + :::image type="content" source="./images/mcc-isp-ubuntu-keyboard.png" alt-text="Screenshot of the Ubuntu install's Keyboard layout page."::: 1. Specify your name, a name for the computer, a username, and a strong password. Select the option to **Require my password to log in**. > [!TIP] > Everything is case sensitive in Linux. - :::image type="content" source="images/imcc50.png" alt-text="Ubuntu install, 'Who are you' screen."::: + :::image type="content" source="./images/mcc-isp-ubuntu-who.png" alt-text="Screenshot of the Ubuntu install's, 'Who are you' screen."::: 1. To complete the installation, select **Restart now**. - :::image type="content" source="images/imcc51.png" alt-text="Ubuntu install, installation complete, restart now."::: + :::image type="content" source="./images/mcc-isp-ubuntu-restart.png" alt-text="Screenshot of the Ubuntu install's installation complete, restart now screen."::: 1. After the computer restarts, sign in with the username and password. > [!IMPORTANT] > If it shows that an upgrade is available, select **Don't upgrade**. > - > :::image type="content" source="images/imcc52.png" alt-text="Ubuntu install, Upgrade Available prompt, Don't Upgrade."::: + > :::image type="content" source="./images/mcc-isp-ubuntu-upgrade.png" alt-text="Screenshot of the Ubuntu install's Upgrade Available prompt with Don't Upgrade selected."::: Your Ubuntu VM is now ready to [Install MCC](#install-mcc). @@ -735,6 +724,6 @@ For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/ ## Related articles -[Microsoft Connected Cache for enterprise and education](mcc-enterprise.md) +[Microsoft Connected Cache overview](waas-microsoft-connected-cache.md) [Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index d492d18d11..8888c9ec94 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -22,41 +22,40 @@ ms.technology: itpro-updates - Windows 11 > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. -MCC is a hybrid (mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. +MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. -Even though your MCC scenario is not related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: +Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: 1. Installs and updates MCC on your edge device. -2. Maintains Azure IoT Edge security standards on your edge device. -3. Ensures that MCC is always running. -4. Reports MCC health and usage to the cloud for remote monitoring. +1. Maintains Azure IoT Edge security standards on your edge device. +1. Ensures that MCC is always running. +1. Reports MCC health and usage to the cloud for remote monitoring. To deploy a functional MCC to your device, you must obtain the necessary keys to provision the Connected Cache instance that communicates with Delivery Optimization services, and enable the device to cache and deliver content. The architecture of MCC is described below. -For more details information on Azure IoT Edge, please see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge). +For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge). ## How MCC Works 1. The Azure Management Portal is used to create MCC nodes. -2. The MCC container is deployed and provisioned to the server using the installer provided in the portal. -3. Client policy is set in your management solution to point to the IP address or FQDN of the cache server. -4. Microsoft end-user devices make range requests for content from the MCC node. -5. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -6. Subsequent requests from end-user devices for content will now come from cache. -7. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. +1. The MCC container is deployed and provisioned to the server using the installer provided in the portal. +1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server. +1. Microsoft end-user devices make range requests for content from the MCC node. +1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. +1. Subsequent requests from end-user devices for content will now come from cache. +1. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. -See the following diagram. +The following diagram displays and overview of how MCC functions: -![MCC Overview](images/waas-mcc-diag-overview.png#lightbox) +:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png"::: -For more information about MCC, see the following articles: -- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise.md) -- [Microsoft Connected Cache for ISPs](mcc-isp.md) -## Also see -[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) \ No newline at end of file +## Next steps + +- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md) +- [Microsoft Connected Cache for ISPs](mcc-isp-signup.md) diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 3609de6b15..35b2652d61 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -21,7 +21,7 @@ ms.technology: itpro-updates - Windows 10 - Windows 11 -## Microsoft Connected Cache (private preview) +## Microsoft Connected Cache (early preview) Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 7c6b7cb6ed..58bb72052d 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -6,12 +6,10 @@ summary: Learn about deploying and keeping Windows client devices up to date. # metadata: title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.technology: itpro-apps + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: frankroj ms.author: frankroj diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 5bae3977a7..eb154e5d93 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) ms.prod: windows-client author: frankroj ms.author: frankroj -ms.date: 10/31/2022 +ms.date: 11/23/2022 manager: aaroncz ms.localizationpriority: high ms.topic: article @@ -15,18 +15,19 @@ ms.technology: itpro-deploy # MBR2GPT.EXE -**Applies to** -- Windows 10 +*Applies to:* -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. +- Windows 10 -MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option. + +MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later. The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. See the following video for a detailed description and demonstration of MBR2GPT. - +> [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o] You can use MBR2GPT to: @@ -45,6 +46,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s ## Disk Prerequisites Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: + - The disk is currently using MBR - There's enough space not occupied by partitions to store the primary and secondary GPTs: - 16 KB + 2 sectors at the front of the disk @@ -66,21 +68,21 @@ If any of these checks fails, the conversion won't proceed, and an error will be | Option | Description | |----|-------------| -|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | -|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | -|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| -|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| -|/map:\=\| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|/allowFullOS| By default, MBR2GPT.exe is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.| +|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. | +|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. | +|**/disk:*\***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| +|**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|**/map:*\*=*\***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | +|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.| ## Examples ### Validation example -In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. +In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**. -```console -X:\>mbr2gpt /validate /disk:0 +```cmd +X:\>mbr2gpt.exe /validate /disk:0 MBR2GPT: Attempting to validate disk 0 MBR2GPT: Retrieving layout of disk MBR2GPT: Validating layout, disk sector size is: 512 @@ -92,16 +94,25 @@ MBR2GPT: Validation completed successfully In the following example: 1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. + 2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type. -2. The MBR2GPT tool is used to convert disk 0. -3. The DiskPart tool displays that disk 0 is now using the GPT format. -4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +3. The MBR2GPT tool is used to convert disk 0. + +4. The DiskPart tool displays that disk 0 is now using the GPT format. + +5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). + +6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. -```console -X:\>DiskPart +
+
+ Expand to show MBR2GPT example + +```cmd +X:\>DiskPart.exe Microsoft DiskPart version 10.0.15048.0 @@ -219,6 +230,8 @@ Offset in Bytes: 524288000 * Volume 1 D Windows NTFS Partition 58 GB Healthy ``` +
+ ## Specifications ### Disk conversion workflow @@ -259,17 +272,18 @@ Since GPT partitions use a different set of type IDs than MBR partitions, each p 4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: + - GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) - GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) For more information about partition types, see: + - [GPT partition types](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) - [MBR partition types](/windows/win32/fileio/disk-partition-types) - ### Persisting drive letter assignments -The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. > [!IMPORTANT] > This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. @@ -293,7 +307,7 @@ Four log files are created by the MBR2GPT tool: - setupact.log - setuperr.log -These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. > [!NOTE] > The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. @@ -302,12 +316,12 @@ The default location for all these log files in Windows PE is **%windir%**. ### Interactive help -To view a list of options available when using the tool, type **mbr2gpt /?** +To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`** The following text is displayed: -```console -C:\> mbr2gpt /? +```cmd +C:\> mbr2gpt.exe /? Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. @@ -348,19 +362,18 @@ MBR2GPT has the following associated return codes: | Return code | Description | |----|-------------| -|0| Conversion completed successfully.| -|1| Conversion was canceled by the user.| -|2| Conversion failed due to an internal error.| -|3| Conversion failed due to an initialization error.| -|4| Conversion failed due to invalid command-line parameters. | -|5| Conversion failed due to error reading the geometry and layout of the selected disk.| -|6| Conversion failed because one or more volumes on the disk is encrypted.| -|7| Conversion failed because the geometry and layout of the selected disk don't meet requirements.| -|8| Conversion failed due to error while creating the EFI system partition.| -|9| Conversion failed due to error installing boot files.| -|10| Conversion failed due to error while applying GPT layout.| -|100| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.| - +|**0**| Conversion completed successfully.| +|**1**| Conversion was canceled by the user.| +|**2**| Conversion failed due to an internal error.| +|**3**| Conversion failed due to an initialization error.| +|**4**| Conversion failed due to invalid command-line parameters. | +|**5**| Conversion failed due to error reading the geometry and layout of the selected disk.| +|**6**| Conversion failed because one or more volumes on the disk is encrypted.| +|**7**| Conversion failed because the geometry and layout of the selected disk don't meet requirements.| +|**8**| Conversion failed due to error while creating the EFI system partition.| +|**9**| Conversion failed due to error installing boot files.| +|**10**| Conversion failed due to error while applying GPT layout.| +|**100**| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.| ### Determining the partition type @@ -381,8 +394,8 @@ You can also view the partition type of a disk by opening the Disk Management to If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: -```console -X:\>DiskPart +```cmd +X:\>DiskPart.exe Microsoft DiskPart version 10.0.15048.0 @@ -405,15 +418,15 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues: -**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive. +**Issue 1** When you run the `MBR2GPT.exe` command, the process exits without converting the drive. -**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there's no output from the tool. +**Issue 2** When you manually run the `MBR2GPT.exe` command in a Command Prompt window, there's no output from the tool. -**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. +**Issue 3** When `MBR2GPT.exe` runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. #### Cause -This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. +This issue occurs because in Windows 10, version 1903 and later versions, `MBR2GPT.exe` requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. #### Workaround @@ -430,31 +443,31 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from **Command 1:** - ```console + ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" ``` - + This command copies three files: - * ReAgent.admx - * ReAgent.dll - * ReAgent.xml + - ReAgent.admx + - ReAgent.dll + - ReAgent.xml **Command 2:** - ```console + ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" ``` - + This command copies two files: - * ReAgent.adml - * ReAgent.dll.mui + - ReAgent.adml + - ReAgent.dll.mui > [!NOTE] > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. -3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). +3. After you copy all the files, commit the changes and unmount the Windows PE WIM. `MBR2GPT.exe` now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). ## Related articles diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index bf3c38f95e..853855b43b 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -3,7 +3,8 @@ metadata: title: Windows 10 Enterprise FAQ for IT pros (Windows 10) description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools - ms.prod: w10 + ms.prod: windows-client + ms.technology: itpro-deploy ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 848e407d94..c234ad4992 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -8,7 +8,8 @@ metadata: ms.author: frankroj manager: aaroncz keywords: FAQ, mobile, device, USB - ms.prod: w10 + ms.prod: windows-client + ms.technology: itpro-deploy ms.mktglfcycl: deploy ms.pagetype: mobility ms.sitesec: library diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index eaba8cdb52..3fc8a55190 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -8,7 +8,7 @@ author: frankroj ms.author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- @@ -20,15 +20,15 @@ S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update ## S mode key features -**Microsoft-verified security** +### Microsoft-verified security With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. -**Performance that lasts** +### Performance that lasts Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go. -**Choice and flexibility** +### Choice and flexibility Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. @@ -49,6 +49,6 @@ The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-too ## Related links - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode) -- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) +- [S mode devices](https://www.microsoft.com/windows/view-all-devices) - [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) -- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Microsoft Defender for Endpoint](/microsoft-365/windows/microsoft-defender-atp) diff --git a/windows/deployment/update/images/wufb-do-overview.png b/windows/deployment/update/images/wufb-do-overview.png new file mode 100644 index 0000000000..bacdb44d25 Binary files /dev/null and b/windows/deployment/update/images/wufb-do-overview.png differ diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index 6315bbdd8c..f4206b0189 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -40,10 +40,11 @@ Currently, Windows Update for Business reports contains the following features: - UCClientReadinessStatus - UCClientUpdateStatus - UCDeviceAlert + - UCDOAggregatedStatus + - UCDOStatus - UCServiceUpdateStatus - UCUpdateAlert - - UCDOStatus - - UCDOAggregatedStatus + - Client data collection to populate the Windows Update for Business reports tables :::image type="content" source="media/wufb-reports-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Windows Update for Business reports data in Log Analytics." lightbox="media/wufb-reports-query-table.png"::: diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md new file mode 100644 index 0000000000..7fae5b9b00 --- /dev/null +++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md @@ -0,0 +1,35 @@ +--- +title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus +ms.reviewer: +manager: naengler +description: UCDOAggregatedStatus schema +ms.prod: windows-client +author: cmknox +ms.author: carmenf +ms.collection: M365-analytics +ms.topic: reference +ms.date: 11/17/2022 +ms.technology: itpro-updates +--- + +# UCDOAggregatedStatus + +***(Applies to: Windows 11 & Windows 10)*** + +UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do). + +|Field |Type |Example |Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.| +| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). | +| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). | +| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. | +| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. | +| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. | +| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. | +| **DeviceCount** | [long](/azure/kusto/query/scalar-data-types/long) | `27077` | Number of devices. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. | diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md new file mode 100644 index 0000000000..01ad6b186a --- /dev/null +++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md @@ -0,0 +1,55 @@ +--- +title: Windows Update for Business reports Data Schema - UCDOStatus +ms.reviewer: +manager: naengler +description: UCDOStatus schema +ms.prod: windows-client +author: cmknox +ms.author: carmenf +ms.collection: M365-analytics +ms.topic: reference +ms.date: 11/17/2022 +ms.technology: itpro-updates +--- + +# UCDOStatus + +***(Applies to: Windows 11 & Windows 10)*** + +UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do). + +|Field |Type |Example |Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.| +| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.| +| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). | +| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). | +| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. | +| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. | +| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. | +| **City** | [string](/azure/kusto/query/scalar-data-types/string) | `Redmond` | Approximate city where device was located while downloading content, based on IP address. | +| **ContentDownloadMode** | [int](/azure/kusto/query/scalar-data-types/int) | `1` | Device's Delivery Optimization Download Mode used to download content. | +| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. | +| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | Approximate country where device was located while downloading content, based on IP address. | +| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `DESKTOP-DO` | User or organization provided device name. If the value appears as '#', configure the device to send device name. | +| **DOStatusDescription** | [string](/azure/kusto/query/scalar-data-types/string) | `Downloading` | A short description of Delivery Optimization status, if any. | +| **DownloadMode** | [string](/azure/kusto/query/scalar-data-types/string) | `LAN (1)` | Delivery Optimization Download Mode configured on the device. | +| **DownloadModeSrc** | [string](/azure/kusto/query/scalar-data-types/string) | `MDM` | The source of the Download Mode configuration. | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft global device identifier. This identifier is used by Microsoft internally. | +| **GroupID** | [string](/azure/kusto/query/scalar-data-types/string) | `3suvw1efol0nmy8y9g8tfhtj1onwpsk9g9swpwnvfra=` | Delivery Optimization Group ID GUID value. | +| **ISP** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft Corporation` | Internet Service Provider estimation. | +| **LastCensusSeenTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. | +| **NoPeersCount** | [long](/azure/kusto/query/scalar-data-types/long) | `4` | Count of peers device interacted with. | +| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10/11 operating system version currently installed on the device, such as 20H1, 21H2. | +| **PeerEligibleTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `5` | Total count of eligible transfers by peers. | +| **PeeringStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `On` | Delivery Optimization peering status. | +| **PeersCannotConnectCount** | [long](/azure/kusto/query/scalar-data-types/long) | `1` | Count of peers Delivery Optimization couldn't connect to. | +| **PeersSuccessCount** | [long](/azure/kusto/query/scalar-data-types/long) | `2` | Count of peers Delivery Optimization successfully connected to. | +| **PeersUnknownCount** | [long](/azure/kusto/query/scalar-data-types/long) | `0` | Count of peers with an unknown relation. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) |`6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **TotalTimeForDownload** | [string](/azure/kusto/query/scalar-data-types/string) | `00:02:11` | Total time to download content. | +| **TotalTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `304` | Total count of data transfers needed to download content. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. | diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md index 8b2936c9bc..27d15d676a 100644 --- a/windows/deployment/update/wufb-reports-schema.md +++ b/windows/deployment/update/wufb-reports-schema.md @@ -31,5 +31,7 @@ The following table summarizes the different tables that are part of the Windows |[**UCClientReadinessStatus**](wufb-reports-schema-ucclientreadinessstatus.md) | Device record | UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 hardware requirements the device doesn't meet.| | [**UCClientUpdateStatus**](wufb-reports-schema-ucclientupdatestatus.md) | Device record | Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update. | | [**UCDeviceAlert**](wufb-reports-schema-ucdevicealert.md)| Service and device record | These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from such as a ServiceDeviceAlert or ClientDeviceAlert. | +| [**UCDOAggregatedStatus**](wufb-reports-schema-ucdoaggregatedstatus.md)| Device record | UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using Delivery Optimization and Microsoft Connected Cache. | +| [**UCDOStatus**](wufb-reports-schema-ucdostatus.md)| Device record | UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use Delivery Optimization and Microsoft Connected Cache. | | [**UCServiceUpdateStatus**](wufb-reports-schema-ucserviceupdatestatus.md) | Service record | Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. | | [**UCUpdateAlert**](wufb-reports-schema-ucupdatealert.md) | Service and device records | Alert for both client and service update. Contains information that needs attention, relative to one device (client), one update, and one deployment, if relevant. Certain fields may be blank depending on the UpdateAlert's AlertType field. For example, ServiceUpdateAlert won't necessarily contain client-side statuses and may be blank. | diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index 3d1083467a..cdaf2834c6 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -141,7 +141,7 @@ The **Device status** group for feature updates contains the following items: ## Delivery Optimization (preview tab) -The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes Microsoft Connected Cache (MCC) information. +The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. At the top of the report, tiles display the following information: @@ -156,6 +156,8 @@ The Delivery Optimization tab is further divided into the following groups: - **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**. - **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**. +:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png"::: + ## Customize the workbook Since the Windows Update for Business reports workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started). diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index 8862f18acc..64fe549a96 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj -ms.date: 11/01/2022 +ms.date: 11/23/2022 ms.topic: article ms.technology: itpro-deploy --- @@ -136,6 +136,9 @@ The default `MigUser.xml` file migrates the following data: > [!NOTE] > The asterisk (`*`) stands for zero or more characters. + > [!NOTE] + > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default. + The default `MigUser.xml` file doesn't migrate the following data: - Files tagged with both the **Hidden** and **System** attributes. diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml index f058fa2a8d..f22b052e29 100644 --- a/windows/deployment/usmt/usmt-faq.yml +++ b/windows/deployment/usmt/usmt-faq.yml @@ -3,11 +3,11 @@ metadata: title: 'Frequently Asked Questions (Windows 10)' description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.' ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b - ms.reviewer: + ms.prod: windows-client + ms.technology: itpro-deploy author: frankroj ms.author: frankroj manager: aaroncz - ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library audience: itpro diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index b4964f369a..9fac4ebca3 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj -ms.date: 11/01/2022 +ms.date: 11/23/2022 ms.topic: article ms.technology: itpro-deploy --- @@ -78,6 +78,9 @@ This section describes the user data that USMT migrates by default, using the `M > [!NOTE] > The asterisk (`*`) stands for zero or more characters. + > [!NOTE] + > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default. + - **Access control lists.** USMT migrates access control lists (ACLs) for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named `File1.txt` that is **read-only** for **User1** and **read/write** for **User2**, these settings will still apply on the destination computer after the migration. > [!IMPORTANT] diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 1316467395..fbbf1013ee 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -11,12 +11,12 @@ ms.technology: itpro-fundamentals ms.localizationpriority: medium ms.topic: how-to ms.collection: M365-modern-desktop -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Configure VDA for Windows subscription activation -Applies to: +*Applies to:* - Windows 10 - Windows 11 @@ -61,42 +61,55 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl ## Active Directory-joined VMs 1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](/azure/virtual-machines/windows/prepare-for-upload-vhd-image) -2. (Optional) To disable network level authentication, type the following command at an elevated command prompt: + +2. (Optional) To disable network level authentication, enter the following command at an elevated command prompt: ```cmd - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ``` -3. At an elevated command prompt, type **sysdm.cpl** and press ENTER. +3. At an elevated command prompt, enter **sysdm.cpl**. + 4. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**. -5. Select **Add**, type **Authenticated users**, and then select **OK** three times. + +5. Select **Add**, enter **Authenticated users**, and then select **OK** three times. + 6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#generalize-a-vhd) and then start the VM again. + 7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 8. 1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). - 1. Open Windows Configuration Designer and select **Provision desktop services**. - 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. + + 2. Open Windows Configuration Designer and select **Provision desktop services**. + + 3. Under **Name**, enter **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. > [!NOTE] > You can use a different project name, but this name is also used with dism.exe in a later step. - 1. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. - 1. On the Set up network page, choose **Off**. - 1. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. + 4. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. + + 5. On the Set up network page, choose **Off**. + + 6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. > [!NOTE] > This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms). - 1. On the Add applications page, add applications if desired. This step is optional. - 1. On the Add certificates page, add certificates if desired. This step is optional. - 1. On the Finish page, select **Create**. - 1. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image. - 1. Type the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested: + 7. On the Add applications page, add applications if desired. This step is optional. + + 8. On the Add certificates page, add certificates if desired. This step is optional. + + 9. On the Finish page, select **Create**. + + 10. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image. + + 11. Enter the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested: ```cmd Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" ``` - 1. Right-click the mounted image in file explorer and select **Eject**. + 12. Right-click the mounted image in file explorer and select **Eject**. 8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image. @@ -107,33 +120,50 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: -- During setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. +- During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. + - During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials. + - When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg** + - When attempting to access the VM using remote desktop, you'll need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). ## Azure Gallery VMs -1. (Optional) To disable network level authentication, type the following command at an elevated command prompt: +1. (Optional) To disable network level authentication, enter the following command at an elevated command prompt: ```cmd - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ``` -2. At an elevated command prompt, type `sysdm.cpl` and press ENTER. +2. At an elevated command prompt, enter `sysdm.cpl`. + 3. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**. -4. Select **Add**, type **Authenticated users**, and then select **OK** three times. + +4. Select **Add**, enter **Authenticated users**, and then select **OK** three times. + 5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). + 6. Open Windows Configuration Designer and select **Provision desktop services**. + 7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. - 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. - 2. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. -8. Under **Name**, type **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name. + + 1. Under **Name**, enter **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. + + 2. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. + +8. Under **Name**, enter **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name. + 9. On the Set up network page, choose **Off**. + 10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. + 11. On the Add applications page, add applications if desired. This step is optional. + 12. On the Add certificates page, add certificates if desired. This step is optional. + 13. On the Finish page, select **Create**. + 14. Copy the PPKG file to the remote virtual machine. Open the provisioning package to install it. This process will restart the system. > [!NOTE] @@ -142,9 +172,13 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j ## Create custom RDP settings for Azure 1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host. + 2. Select **Show Options**, and then under Connection settings select **Save As**. Save the RDP file to the location where you'll use it. + 3. Close the Remote Desktop Connection window and open Notepad. + 4. Open the RDP file in Notepad to edit it. + 5. Enter or replace the line that specifies authentication level with the following two lines of text: ```text @@ -162,4 +196,4 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j [Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) -[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) \ No newline at end of file +[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index dfab934f9d..c0fe80dccc 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -8,14 +8,15 @@ ms.author: frankroj manager: aaroncz ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Windows Deployment Services (WDS) boot.wim support -Applies to: -- Windows 10 +*Applies to:* + +- Windows 10 - Windows 11 The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode will no longer be supported. @@ -38,7 +39,7 @@ The table below provides support details for specific deployment scenarios (Boot ## Reason for the change -Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images. +Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images. ## Not affected @@ -53,7 +54,7 @@ You can still run Windows Setup from a network share. Workflows that use a custo - Windows Server 2022 workflows that rely on **boot.wim** from installation media will show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked. - Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked. -If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image. +If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image. ## Also see diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index d7d8c65cc3..677807d5c7 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -9,13 +9,14 @@ ms.prod: windows-client ms.technology: itpro-deploy ms.localizationpriority: medium ms.topic: reference -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Windows 10 deployment process posters -**Applies to** -- Windows 10 +*Applies to:* + +- Windows 10 The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Configuration Manager. diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 4627e3d824..18e44ca25b 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -7,15 +7,15 @@ author: frankroj ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Windows 10 deployment scenarios -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each. @@ -55,9 +55,9 @@ The following tables summarize various Windows 10 deployment scenarios. The scen |[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)| |[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)| ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. +> [!IMPORTANT] +> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. ## Modern deployment methods @@ -86,19 +86,19 @@ Scenarios that support in-place upgrade with some other procedures include chang - **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) There are some situations where you can't use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. +- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken. ## Dynamic provisioning @@ -106,7 +106,7 @@ For new PCs, organizations have historically replaced the version of Windows inc The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: -### Windows 10 Subscription Activation +### Windows 10 Subscription Activation Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). @@ -122,17 +122,17 @@ These scenarios can be used to enable "choose your own device" (CYOD) programs. While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts. -## Traditional deployment: +## Traditional deployment -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them. The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary: -- **New computer.** A bare-metal deployment of a new machine. -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). +- **New computer**: A bare-metal deployment of a new machine. +- **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). +- **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). ### New computer @@ -140,13 +140,13 @@ Also called a "bare metal" deployment. This scenario occurs when you have a blan The deployment process for the new machine scenario is as follows: -1. Start the setup from boot media (CD, USB, ISO, or PXE). +1. Start the setup from boot media (CD, USB, ISO, or PXE). -2. Wipe the hard disk clean and create new volume(s). +2. Wipe the hard disk clean and create new volume(s). -3. Install the operating system image. +3. Install the operating system image. -4. Install other applications (as part of the task sequence). +4. Install other applications (as part of the task sequence). After you follow these steps, the computer is ready for use. @@ -156,17 +156,17 @@ A refresh is sometimes called wipe-and-load. The process is normally initiated i The deployment process for the wipe-and-load scenario is as follows: -1. Start the setup on a running operating system. +1. Start the setup on a running operating system. -2. Save the user state locally. +2. Save the user state locally. -3. Wipe the hard disk clean (except for the folder containing the backup). +3. Wipe the hard disk clean (except for the folder containing the backup). -4. Install the operating system image. +4. Install the operating system image. -5. Install other applications. +5. Install other applications. -6. Restore the user state. +6. Restore the user state. After you follow these steps, the machine is ready for use. @@ -176,9 +176,9 @@ A computer replace is similar to the refresh scenario. However, since we're repl The deployment process for the replace scenario is as follows: -1. Save the user state (data and settings) on the server through a backup job on the running operating system. +1. Save the user state (data and settings) on the server through a backup job on the running operating system. -2. Deploy the new computer as a bare-metal deployment. +2. Deploy the new computer as a bare-metal deployment. > [!NOTE] > In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 67864fbe6c..972ef1adaf 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -3,7 +3,7 @@ title: Windows 10/11 Enterprise E3 in CSP description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition. ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 author: frankroj ms.author: frankroj manager: aaroncz @@ -15,16 +15,17 @@ ms.technology: itpro-deploy # Windows 10/11 Enterprise E3 in CSP -Applies to: +*Applies to:* + - Windows 10 - Windows 11 -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites: -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. -- Azure Active Directory (Azure AD) available for identity management +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. +- Azure Active Directory (Azure AD) available for identity management You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. @@ -32,22 +33,22 @@ Previously, only organizations with a Microsoft Volume Licensing Agreement could When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits: -- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. -- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. -- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). -- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. -- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. +- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. +- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. +- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). +- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. +- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? -- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. -- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: +- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. +- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. + - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. + - **Training**. These benefits include training vouchers, online e-learning, and a home use program. + - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. + - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. @@ -60,15 +61,15 @@ In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offerin Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. -*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* +### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro |Feature|Description| |--- |--- | -|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

Credential Guard has the following features:

  • **Hardware-level security**. Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
  • **Virtualization-based security**. Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
  • **Improved protection against persistent threats**. Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.
  • **Improved manageability**. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

    For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).

    *Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*| -|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

    Device Guard protects in the following ways:

  • Helps protect against malware
  • Helps protect the Windows system core from vulnerability and zero-day exploits
  • Allows only trusted apps to run

    For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).| -|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

    For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).| -|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

    For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).| -|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.

    When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

    UE-V provides the following features:

  • Specify which application and Windows settings synchronize across user devices
  • Deliver the settings anytime and anywhere users work throughout the enterprise
  • Create custom templates for your third-party or line-of-business applications
  • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

    For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).| +|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

    Credential Guard has the following features:

  • **Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
  • **Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
  • **Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.
  • **Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

    For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).

    *Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*| +|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

    Device Guard protects in the following ways:
  • Helps protect against malware
  • Helps protect the Windows system core from vulnerability and zero-day exploits
  • Allows only trusted apps to run

    For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).| +|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

    For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).| +|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

    For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).| +|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.

    When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

    UE-V provides the following features:
  • Specify which application and Windows settings synchronize across user devices
  • Deliver the settings anytime and anywhere users work throughout the enterprise
  • Create custom templates for your third-party or line-of-business applications
  • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

    For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).| |Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:
  • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands
  • Removing Log Off (the User tile) from the Start menu
  • Removing frequent programs from the Start menu
  • Removing the All Programs list from the Start menu
  • Preventing users from customizing their Start screen
  • Forcing Start menu to be either full-screen size or menu size
  • Preventing changes to Taskbar and Start menu settings| ## Deployment of Windows 10/11 Enterprise E3 licenses @@ -88,41 +89,39 @@ The following sections provide you with the high-level tasks that need to be per You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: -- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. +- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. -- **Manual**. You can manually turn on Credential Guard by taking one of the following actions: +- **Manual**. You can manually turn on Credential Guard by taking one of the following actions: - - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). + - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). - - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). You can automate these manual steps by using a management tool such as Microsoft Configuration Manager. For more information about implementing Credential Guard, see the following resources: -- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) -- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations) -- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) - - +- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) +- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations) +- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) ### Device Guard Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: -1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate. +1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate. -2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. +2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. -3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. +3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. -4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. +4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. -5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. +5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. -6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. +6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. -7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. +7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. For more information about implementing Device Guard, see: @@ -139,19 +138,20 @@ For more information about AppLocker management by using Group Policy, see [AppL App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows: -- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. +- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. -- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. +- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: -- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started) -- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server) -- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client) +- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started) +- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server) +- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client) ### UE-V + UE-V requires server and client-side components that you'll need to download, activate, and install. These components include: - **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. @@ -174,16 +174,16 @@ For more information about deploying UE-V, see the following resources: The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. -*Table 2. Managed User Experience features* +#### Table 2. Managed User Experience features | Feature | Description | |------------------|-----------------| | Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
    For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). | -| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.
    For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). | -| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
    For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). | -| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
    For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). | -| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.
    For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). | -| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
    For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). | +| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.
    For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). | +| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
    For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
    For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). | +| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.
    For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). | +| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
    For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). | ## Related articles diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 6668d42e52..66d08877b8 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -3,7 +3,7 @@ title: Windows 10 volume license media description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC). ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.reviewer: manager: aaroncz ms.author: frankroj @@ -14,9 +14,9 @@ ms.technology: itpro-deploy # Windows 10 volume license media -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This article provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10. @@ -29,7 +29,7 @@ When you select a product, for example "Windows 10 Enterprise" or "Windows 10 Ed > [!NOTE] > If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). -Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. +Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. ### Language packs @@ -47,4 +47,4 @@ Features on demand is a method for adding features to your Windows 10 image that
    [Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
    [Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
    [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150) -
    [Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc) \ No newline at end of file +
    [Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc) diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 3c0da5a490..364c23a213 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -7,12 +7,12 @@ author: frankroj ms.author: frankroj manager: aaroncz ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # How to install fonts that are missing after upgrading to Windows client -**Applies to** +*Applies to:* - Windows 10 - Windows 11 @@ -36,7 +36,7 @@ For example, if you've an English, French, German, or Spanish version of Windows If you want to use these fonts, you can enable the optional feature to add them back to your system. The removal of these fonts is a permanent change in behavior for Windows client, and it will remain this way in future releases. -## Installing language-associated features via language settings: +## Installing language-associated features via language settings If you want to use the fonts from the optional feature and you know that you'll want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. Use the Settings app. @@ -57,7 +57,7 @@ Once you've added Hebrew to your language list, then the optional Hebrew font fe > [!NOTE] > The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. -## Install optional fonts manually without changing language settings: +## Install optional fonts manually without changing language settings If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings. diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 89f8d25fe4..3741412fbb 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -3,7 +3,7 @@ title: Step by step - Deploy Windows 10 in a test lab using MDT description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT). ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.reviewer: manager: aaroncz ms.author: frankroj @@ -14,23 +14,26 @@ ms.technology: itpro-deploy # Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 > [!IMPORTANT] -> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: -- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) - -Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: -- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) +> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: +> +> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) +> +> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: +> +> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): + - **DC1**: A contoso.com domain controller, DNS server, and DHCP server. - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. - **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. -This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work. +This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work. ## In this guide @@ -50,10 +53,13 @@ Topics and procedures in this guide are summarized in the following table. An es ## About MDT -MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. +MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. + - LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. + - ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. -- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager. + +- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager. ## Install MDT @@ -80,11 +86,12 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch A reference image serves as the foundation for Windows 10 devices in your organization. -1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: +1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso ``` + 2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. 3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**. @@ -108,7 +115,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. -10. Use the following settings for the Import Operating System Wizard: +10. Use the following settings for the Import Operating System Wizard: - OS Type: **Full set of source files**
    - Source: **D:\\**
    - Destination: **W10Ent_x64**
    @@ -119,6 +126,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article. 11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
    - Task sequence name: **Windows 10 Enterprise x64 Default Image**
    - Task sequence comments: **Reference Build**
    @@ -143,7 +151,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. 17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - + > [!NOTE] > Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. @@ -153,7 +161,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 20. Replace the default rules with the following text: - ```text + ```ini [Settings] Priority=Default @@ -188,7 +196,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - ```text + ```ini [Settings] Priority=Default @@ -211,7 +219,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi > [!TIP] > To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. -26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: +26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands: ```powershell New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB @@ -221,21 +229,21 @@ A reference image serves as the foundation for Windows 10 devices in your organi vmconnect localhost REFW10X64-001 ``` - The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. + The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. 27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. 28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated. - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine.

    + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine.

    This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. @@ -244,6 +252,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. 1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard: + - **Deployment share path**: C:\MDTProd - **Share name**: MDTProd$ - **Deployment share description**: MDT Production @@ -259,7 +268,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**. -7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. +7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. 8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**. @@ -274,6 +283,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**. 2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 - Task sequence name: Windows 10 Enterprise x64 Custom Image - Task sequence comments: Production Image @@ -282,22 +292,23 @@ This procedure will demonstrate how to deploy the reference image to the PoC env - Specify Product Key: Don't specify a product key at this time - Full Name: Contoso - Organization: Contoso - - Internet Explorer home page: http://www.contoso.com - - Admin Password: pass@word1 - + - Internet Explorer home page: `http://www.contoso.com` + - Admin Password: pass@word1 + ### Configure the MDT production deployment share -1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: +1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands: ```powershell copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force - ``` + ``` + 2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**. 3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet): - ```text + ```ini [Settings] Priority=Default @@ -341,13 +352,13 @@ This procedure will demonstrate how to deploy the reference image to the PoC env If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui): - ```console + ```cmd ScanStateArgs=/ue:*\* /ui:CONTOSO\* ``` For example, to migrate **all** users on the computer, replace this line with the following line: - ```console + ```cmd ScanStateArgs=/all ``` @@ -355,7 +366,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 4. Select **Edit Bootstap.ini** and replace text in the file with the following text: - ```text + ```ini [Settings] Priority=Default @@ -367,7 +378,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env SkipBDDWelcome=YES ``` -5. Select **OK** when finished. +5. Select **OK** when finished. ### Update the deployment share @@ -391,9 +402,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: - ```powershell - WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All + ```cmd + WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" + WDSUTIL.exe /Set-Server /AnswerClients:All ``` 2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**. @@ -404,12 +415,12 @@ This procedure will demonstrate how to deploy the reference image to the PoC env ### Deploy the client image -1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway. +1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway. > [!NOTE] - > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** + > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt. - Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: + Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command: ```powershell Disable-NetAdapter "Ethernet 2" -Confirm:$false @@ -417,7 +428,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env >Wait until the disable-netadapter command completes before proceeding. -2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: +2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt: ```powershell New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 @@ -437,7 +448,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**. -6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: +6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command: ```powershell Enable-NetAdapter "Ethernet 2" @@ -453,7 +464,7 @@ This completes the demonstration of how to deploy a reference image to the netwo ## Refresh a computer with Windows 10 -This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). +This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). 1. If the PC1 VM isn't already running, then start and connect to it: @@ -462,7 +473,7 @@ This section will demonstrate how to export user data from an existing client co vmconnect localhost PC1 ``` -2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName BeginState @@ -472,10 +483,10 @@ This section will demonstrate how to export user data from an existing client co Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. -4. Open an elevated command prompt on PC1 and type the following command: +4. Open an elevated command prompt on PC1 and enter the following command: - ```console - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ```cmd + cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs ``` > [!NOTE] @@ -498,13 +509,13 @@ This section will demonstrate how to export user data from an existing client co 8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). -9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName RefreshState ``` -10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false @@ -516,15 +527,18 @@ This section will demonstrate how to export user data from an existing client co ## Replace a computer with Windows 10 -At a high level, the computer replace process consists of:
    +At a high level, the computer replace process consists of: + - A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.
    - A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. ### Create a backup-only task sequence 1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. + 2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share. -3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + +3. enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell New-Item -Path C:\MigData -ItemType directory @@ -533,45 +547,56 @@ At a high level, the computer replace process consists of:
    ``` 4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**. + 5. Name the new folder **Other**, and complete the wizard using default options. + 6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard: + - **Task sequence ID**: REPLACE-001 - **Task sequence name**: Backup Only Task Sequence - **Task sequence comments**: Run USMT to back up user data and settings - **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template) + 7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings. -8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence. + +8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence. ### Run the backup-only task sequence -1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: +1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt: - ```console - whoami + ```cmd + whoami.exe ``` -2. To ensure a clean environment before running the backup task sequence, type the following commands at an elevated Windows PowerShell prompt on PC1: + +2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1: ```powershell Remove-Item c:\minint -recurse Remove-Item c:\_SMSTaskSequence -recurse Restart-Computer ``` -3. Sign in to PC1 using the contoso\administrator account, and then type the following command at an elevated command prompt: - ```console - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs +3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt: + + ```cmd + cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs ``` 4. Complete the deployment wizard using the following settings: + - **Task Sequence**: Backup Only Task Sequence - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - **Computer Backup**: Don't back up the existing computer. + 5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. + 6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete. + 7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - ```powershell - PS C:\> dir C:\MigData\PC1\USMT + ```cmd + dir C:\MigData\PC1\USMT Directory: C:\MigData\PC1\USMT @@ -580,16 +605,16 @@ At a high level, the computer replace process consists of:
    -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG ``` -### Deploy PC3 +### Deploy PC3 -1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: +1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt: ```powershell New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 ``` -2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: +2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Disable-NetAdapter "Ethernet 2" -Confirm:$false @@ -628,6 +653,7 @@ At a high level, the computer replace process consists of:
    ## Troubleshooting logs, events, and utilities Deployment logs are available on the client computer in the following locations: + - Before the image is applied: X:\MININT\SMSOSD\OSDLOGS - After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS - After deployment: %WINDIR%\TEMP\DeploymentLogs diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index c33a3b8242..46c6a2b39c 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -9,16 +9,16 @@ manager: aaroncz ms.author: frankroj author: frankroj ms.topic: tutorial -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Deploy Windows 10 in a test lab using Configuration Manager -*Applies to* +*Applies to:* - Windows 10 -> [!Important] +> [!IMPORTANT] > This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides: > > - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) @@ -59,7 +59,7 @@ The procedures in this guide are summarized in the following table. An estimate ## Install prerequisites -1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: +1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ @@ -69,7 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate > If the request to add features fails, retry the installation by typing the command again. 2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. -3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso @@ -77,15 +77,15 @@ The procedures in this guide are summarized in the following table. An estimate This command mounts the .ISO file to drive D on SRV1. -4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: +4. Enter the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: - ```powershell + ```cmd D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms ``` Installation will take several minutes. When installation is complete, the following output will be displayed: - ```dos + ```console Microsoft (R) SQL Server 2014 12.00.5000.00 Copyright (c) Microsoft Corporation. All rights reserved. @@ -99,10 +99,9 @@ The procedures in this guide are summarized in the following table. An estimate Success One or more affected files have operations pending. You should restart your computer to complete this process. - PS C:\> ``` -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: +5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow @@ -124,13 +123,13 @@ The procedures in this guide are summarized in the following table. An estimate Stop-Process -Name Explorer ``` -1. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1. +2. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1. -1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished. +3. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished. -1. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: +4. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: - ```dos + ```powershell Get-Service Winmgmt Status Name DisplayName @@ -157,36 +156,48 @@ The procedures in this guide are summarized in the following table. An estimate If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. -1. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: +5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt: - ```powershell - cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe + ```cmd + C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe ``` -1. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: +6. Temporarily switch to the DC1 VM, and enter the following command at an elevated command prompt on DC1: - ```dos + ```cmd adsiedit.msc ``` -1. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**. -1. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**. -1. Select **container** and then select **Next**. -1. Next to **Value**, type **System Management**, select **Next**, and then select **Finish**. -1. Right-click **CN=system Management** and then select **Properties**. -1. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**. -1. Under **Enter the object names to select**, type **SRV1** and select **OK**. -1. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. -1. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**. -1. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times. -1. Close the ADSI Edit console and switch back to SRV1. -1. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: +7. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**. - ```powershell - cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe +8. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**. + +9. Select **container** and then select **Next**. + +10. Next to **Value**, enter **System Management**, select **Next**, and then select **Finish**. + +11. Right-click **CN=system Management** and then select **Properties**. + +12. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**. + +13. Under **Enter the object names to select**, enter **SRV1** and select **OK**. + +14. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. + +15. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**. + +16. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times. + +17. Close the ADSI Edit console and switch back to SRV1. + +18. To start Configuration Manager installation, enter the following command at an elevated Windows PowerShell prompt on SRV1: + + ```cmd + C:\configmgr\SMSSETUP\BIN\X64\Setup.exe ``` -1. Provide the following information in the Configuration Manager Setup Wizard: +19. Provide the following information in the Configuration Manager Setup Wizard: + - **Before You Begin**: Read the text and select *Next*. - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. - Select **Yes** in response to the popup window. @@ -206,7 +217,7 @@ The procedures in this guide are summarized in the following table. An estimate Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete. -1. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: +20. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: ```powershell Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1 @@ -217,24 +228,30 @@ The procedures in this guide are summarized in the following table. An estimate > [!IMPORTANT] > This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). + 1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. -2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: +2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso ``` -3. Type the following command at an elevated Windows PowerShell prompt on SRV1: +3. Enter the following command at an elevated Windows PowerShell prompt on SRV1: - ```powershell - cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" + ```cmd + D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi ``` 4. Install DaRT 10 using default settings. -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + +5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" @@ -247,7 +264,7 @@ This section contains several procedures to support Zero Touch installation with ### Create a folder structure -1. Type the following commands at a Windows PowerShell prompt on SRV1: +1. Enter the following commands at a Windows PowerShell prompt on SRV1: ```powershell New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" @@ -262,56 +279,78 @@ This section contains several procedures to support Zero Touch installation with ### Enable MDT ConfigMgr integration -1. On SRV1, select **Start**, type `configmgr`, and then select **Configure ConfigMgr Integration**. -2. Type `PS1` as the **Site code**, and then select **Next**. +1. On SRV1, select **Start**, enter `configmgr`, and then select **Configure ConfigMgr Integration**. + +2. Enter `PS1` as the **Site code**, and then select **Next**. + 3. Verify **The process completed successfully** is displayed, and then select **Finish**. ### Configure client settings -1. On SRV1, select **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**. +1. On SRV1, select **Start**, enter **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**. + 2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar. + 3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab. + 4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**. + 5. In the display pane, double-click **Default Client Settings**. -6. Select **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then select **OK**. + +6. Select **Computer Agent**, next to **Organization name displayed in Software Center** enter **Contoso**, and then select **OK**. ### Configure the network access account 1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**. + 2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**. + 3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. + 4. Select the yellow starburst and then select **New Account**. -5. Select **Browse** and then under **Enter the object name to select**, type **CM_NAA** and select **OK**. -6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then select **OK** twice. + +5. Select **Browse** and then under **Enter the object name to select**, enter **CM_NAA** and select **OK**. + +6. Next to **Password** and **Confirm Password**, enter **pass\@word1**, and then select **OK** twice. ### Configure a boundary group 1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**. -2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**. + +2. Next to **Description**, enter **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**. + 3. Choose **Default-First-Site-Name** and then select **OK** twice. + 4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**. -5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**. + +5. Next to **Name**, enter **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**. + 6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox. + 7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice. ### Add the state migration point role 1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**. + 2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. -3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**. + +3. Select **Next**, select the yellow starburst, enter **C:\MigData** for the **Storage folder**, and select **OK**. + 4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. + 5. Select **Next** twice and then select **Close**. ### Enable PXE on the distribution point > [!IMPORTANT] -> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1: +> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, enter the following commands at an elevated Windows PowerShell prompt on SRV1: -```powershell -WDSUTIL /Set-Server /AnswerClients:None +```cmd +WDSUTIL.exe /Set-Server /AnswerClients:None ``` -1. Determine the MAC address of the internal network adapter on SRV1. Type the following command at an elevated Windows PowerShell prompt on SRV1: +1. Determine the MAC address of the internal network adapter on SRV1. Enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell (Get-NetAdapter "Ethernet").MacAddress @@ -321,8 +360,11 @@ WDSUTIL /Set-Server /AnswerClients:None > If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. 2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**. + 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**. + 4. On the PXE tab, select the following settings: + - **Enable PXE support for clients**. Select **Yes** in the popup that appears. - **Allow this distribution point to respond to incoming PXE requests** - **Enable unknown computer support**. Select **OK** in the popup that appears. @@ -334,10 +376,11 @@ WDSUTIL /Set-Server /AnswerClients:None ![Config Mgr PXE.](images/configmgr-pxe.png) 5. Select **OK**. -6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: - ```powershell - cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 +6. Wait for a minute, then enter the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: + + ```cmd + dir /b C:\RemoteInstall\SMSBoot\x64 abortpxe.com bootmgfw.efi @@ -349,12 +392,12 @@ WDSUTIL /Set-Server /AnswerClients:None ``` > [!NOTE] - > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. + > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net.exe share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. > - > You can also type the following command at an elevated Windows PowerShell prompt to open the CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: + > You can also enter the following command at an elevated Windows PowerShell prompt to open CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: > - > ```powershell - > Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + > ```cmd + > "C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe" > ``` > > The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: @@ -366,7 +409,8 @@ WDSUTIL /Set-Server /AnswerClients:None ### Create a branding image file 1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image. -2. Type the following command at an elevated Windows PowerShell prompt: + +2. Enter the following command at an elevated Windows PowerShell prompt: ```powershell Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp" @@ -378,16 +422,26 @@ WDSUTIL /Set-Server /AnswerClients:None ### Create a boot image for Configuration Manager 1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**. -2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**. + +2. On the Package Source page, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**. + - The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later. -3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and select **Next**. + +3. On the General Settings page, enter **Zero Touch WinPE x64** next to **Name**, and select **Next**. + 4. On the Options page, under **Platform** choose **x64**, and select **Next**. + 5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**. -6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image. + +6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, enter or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image. + 7. Select **Finish**. + 8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**. + 9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**. -10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: + +10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' @@ -400,12 +454,15 @@ WDSUTIL /Set-Server /AnswerClients:None ``` 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. + 12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab. + 13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**. + 14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: - ```console - cmd /c dir /s /b C:\RemoteInstall\SMSImages + ```cmd + dir /s /b C:\RemoteInstall\SMSImages C:\RemoteInstall\SMSImages\PS100004 C:\RemoteInstall\SMSImages\PS100005 @@ -422,19 +479,19 @@ WDSUTIL /Set-Server /AnswerClients:None If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section. -1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: +1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso ``` -1. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. +2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. -1. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**. +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, enter **deployment**, and then select **Deployment Workbench**. -1. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. +4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. -1. Use the following settings for the New Deployment Share Wizard: +5. Use the following settings for the New Deployment Share Wizard: - Deployment share path: **C:\MDTBuildLab** - Share name: **MDTBuildLab$** - Deployment share description: **MDT build lab** @@ -443,22 +500,23 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr - Progress: settings will be applied - Confirmation: Select **Finish** -1. Expand the **Deployment Shares** node, and then expand **MDT build lab**. +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. -1. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**. +7. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**. -1. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. +8. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. -1. Use the following settings for the Import Operating System Wizard: +9. Use the following settings for the Import Operating System Wizard: - OS Type: **Full set of source files** - Source: **D:\\** - Destination: **W10Ent_x64** - Summary: Select **Next** - Confirmation: Select **Finish** -1. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications). +10. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications). + +11. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: -1. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - Task sequence ID: **REFW10X64-001** - Task sequence name: **Windows 10 Enterprise x64 Default Image** - Task sequence comments: **Reference Build** @@ -467,31 +525,31 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr - Specify Product Key: **Do not specify a product key at this time** - Full Name: **Contoso** - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** + - Internet Explorer home page: **`http://www.contoso.com`** - Admin Password: **Do not specify an Administrator password at this time** - Summary: Select **Next** - Confirmation: Select **Finish** -1. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. +12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. -1. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo. +13. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo. -1. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again. +14. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again. -1. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**. +15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**. -1. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. +16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. -1. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. +17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. > [!NOTE] > Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications. -1. Select **OK** to complete editing the task sequence. +18. Select **OK** to complete editing the task sequence. -1. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab. +19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab. -1. Replace the default rules with the following text: +20. Replace the default rules with the following text: ```ini [Settings] @@ -526,7 +584,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr SkipFinalSummary=NO ``` -1. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: +21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: ```ini [Settings] @@ -540,18 +598,18 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr SkipBDDWelcome=YES ``` -1. Select **OK** to complete the configuration of the deployment share. +22. Select **OK** to complete the configuration of the deployment share. -1. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**. +23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**. -1. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**. +24. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**. -1. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). +25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). > [!TIP] > To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**. -1. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: +26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands: ```powershell New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB @@ -561,9 +619,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr vmconnect localhost REFW10X64-001 ``` -1. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. +27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. -1. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated. +28. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated. Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures: @@ -579,7 +637,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr ### Add a Windows 10 OS image -1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: +1. Enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" @@ -588,9 +646,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**. -3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**. +3. On the Data Source page, under **Path:**, enter or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**. -4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**. +4. On the General page, next to **Name:**, enter **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**. 5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**. @@ -610,9 +668,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**. -3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**. +3. On the General page, enter **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**. 4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** - Account: Select **Set** - User name: **contoso\CM_JD** @@ -632,9 +691,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, select **OK**, and then select **Next**. -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**. +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**. -8. On the MDT Details page, next to **Name:** type **MDT** and then select **Next**. +8. On the MDT Details page, next to **Name:** enter **MDT** and then select **Next**. 9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, select **OK**, and then select **Next**. @@ -644,9 +703,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, select **OK**, and then select **Next**. -13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**. +13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**. -14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and select **Next**. +14. On the Settings Details page, next to **Name:**, enter **Windows 10 x64 Settings**, and select **Next**. 15. On the Sysprep Package page, select **Next** twice. @@ -663,6 +722,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 4. In the **State Restore** group, select the **Set Status 5** action, select **Add** in the upper left corner, point to **User State**, and select **Request State Store**. This action adds a new step immediately after **Set Status 5**. 5. Configure this **Request State Store** step with the following settings: + - Request state storage location to: **Restore state from another computer** - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox. - Options tab: Select the **Continue on error** checkbox. @@ -676,6 +736,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 6. In the **State Restore** group, select **Restore User State**, select **Add**, point to **User State**, and select **Release State Store**. 7. Configure this **Release State Store** step with the following settings: + - Options tab: Select the **Continue on error** checkbox. - Add Condition: **Task Sequence Variable**: - Variable: **USMTLOCAL** @@ -704,10 +765,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 4. Select the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**. -5. Type the following command at an elevated Windows PowerShell prompt on SRV1: +5. Enter the following command at an elevated Windows PowerShell prompt on SRV1: - ```powershell - notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" + ```cmd + notepad.exe "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" ``` 6. Replace the contents of the file with the following text, and then save the file: @@ -735,9 +796,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr > OSDMigrateAdditionalCaptureOptions=/all > ``` -7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears. +7. Return to the Configuration Manager console, and in the **Software Library** workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears. -8. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**. +8. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**. 9. In the Distribute Content Wizard, select **Next** twice, select **Add**, select **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**. @@ -745,7 +806,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr ### Create a deployment for the task sequence -1. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**. +1. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**. 2. On the General page, next to **Collection**, select **Browse**, select the **All Unknown Computers** collection, select **OK**, and then select **Next**. @@ -761,7 +822,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr In this first deployment scenario, you'll deploy Windows 10 using PXE. This scenario creates a new computer that doesn't have any migrated users or settings. -1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +1. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 @@ -776,7 +837,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen 4. Before you select **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. -5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. +5. At the command prompt, enter **explorer.exe** and review the Windows PE file structure. 6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted. @@ -796,6 +857,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen 10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Select **Next** to continue with the deployment. 11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: + - Install Windows 10 - Install the Configuration Manager client and hotfix - Join the computer to the contoso.com domain @@ -803,7 +865,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. -13. Right-click **Start**, select **Run**, type **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image. +13. Right-click **Start**, select **Run**, enter **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image. 14. Shut down the PC4 VM. @@ -821,19 +883,25 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe ### Create a replace task sequence -1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**. +1. On SRV1, in the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**. 2. On the Choose Template page, select **Client Replace Task Sequence** and select **Next**. -3. On the General page, type the following information: +3. On the General page, enter the following information: + - Task sequence name: **Replace Task Sequence** - Task sequence comments: **USMT backup only** 4. Select **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Select **OK** and then select **Next** to continue. + 5. On the MDT Package page, browse and select the **MDT** package. Select **OK** and then select **Next** to continue. + 6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Select **OK** and then select **Next** to continue. + 7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Select **OK** and then select **Next** to continue. + 8. On the Summary page, review the details and then select **Next**. + 9. On the Confirmation page, select **Finish**. > [!NOTE] @@ -841,7 +909,7 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe ### Deploy PC4 -Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 @@ -856,61 +924,66 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). -1. If you haven't already saved a checkpoint for PC1, then do it now. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +2. If you haven't already saved a checkpoint for PC1, then do it now. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName BeginState ``` -1. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**. -1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. -1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times. -1. When a popup dialog box asks if you want to run full discovery, select **Yes**. -1. In the Assets and Compliance workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): +3. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**. + +4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. + +5. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times. + +6. When a popup dialog box asks if you want to run full discovery, select **Yes**. + +7. In the **Assets and Compliance** workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): > [!TIP] > If you don't see the computer account for PC1, select **Refresh** in the upper right corner of the console. The **Client** column indicates that the Configuration Manager client isn't currently installed. This procedure will be carried out next. -1. Sign in to PC1 using the contoso\administrator account and type the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists. +8. Sign in to PC1 using the contoso\administrator account and enter the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists. > [!Note] - > This command requires an elevated _command prompt_, not an elevated Windows PowerShell prompt. + > This command requires an elevated command prompt, not an elevated Windows PowerShell prompt. - ```dos - sc stop ccmsetup + ```cmd + sc.exe stop ccmsetup "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall ``` > [!NOTE] > If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by `CCMSetup /Uninstall` and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client). -1. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type: +9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, enter: - ```dos - net stop wuauserv - net stop BITS + ```cmd + net.exe stop wuauserv + net.exe stop BITS ``` - Verify that both services were stopped successfully, then type the following command at an elevated command prompt: + Verify that both services were stopped successfully, then enter the following command at an elevated command prompt: - ```dos + ```cmd del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" - net start BITS - bitsadmin /list /allusers + net.exe start BITS + bitsadmin.exe /list /allusers ``` Verify that BITSAdmin displays zero jobs. -1. To install the Configuration Manager client as a standalone process, type the following command at an elevated command prompt: +10. To install the Configuration Manager client as a standalone process, enter the following command at an elevated command prompt: - ```dos + ```cmd "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 ``` -1. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. -1. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: +11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. + +12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can enter the following command at an elevated Windows PowerShell prompt to monitor installation progress: ```powershell Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait @@ -918,21 +991,21 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This behavior is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file. Then press **CTRL-C** to break out of the Get-Content operation. If you're viewing the log file in Windows PowerShell, the last line will be wrapped. A return code of `0` indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. -1. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt: +13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt: - ```dos - control smscfgrc + ```cmd + control.exe smscfgrc ``` -1. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example: +14. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example: ![site.](images/configmgr-site.png) If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the client can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry. -1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. +15. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. -1. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: +16. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: ![client.](images/configmgr-client.png) @@ -941,9 +1014,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ### Create a device collection and deployment -1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**. +1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**. 2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **Install Windows 10 Enterprise x64** - General > Limiting collection: **All Systems** - Membership Rules > Add Rule: **Direct Rule** @@ -956,7 +1030,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. -4. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**. +4. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**. 5. Use the following settings in the Deploy Software wizard: - General > Collection: Select Browse and select **Install Windows 10 Enterprise x64** @@ -971,24 +1045,25 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ### Associate PC4 with PC1 -1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then select **Import Computer Information**. +1. On SRV1 in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices** and then select **Import Computer Information**. 2. On the Select Source page, choose **Import single computer** and select **Next**. 3. On the Single Computer page, use the following settings: + - Computer Name: **PC4** - MAC Address: **00:15:5D:83:26:FF** - - Source Computer: \ + - Source Computer: \ 4. Select **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then select the yellow starburst next to **User accounts to migrate**. -5. Select **Browse** and then under Enter the object name to select type **user1** and select OK twice. +5. Select **Browse** and then under **Enter the object name to select** enter **user1** and select **OK** twice. 6. Select the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. 7. Select **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, select **Browse**, choose **Install Windows 10 Enterprise x64**, select **OK**, select **Next** twice, and then select **Close**. -8. In the Assets and Compliance workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. +8. In the **Assets and Compliance** workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration enter will be **side-by-side**. 9. Right-click the association in the display pane and then select **Specify User Accounts**. You can add or remove user account here. Select **OK**. @@ -1000,9 +1075,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ### Create a device collection for PC1 -1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**. +1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**. 2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **USMT Backup (Replace)** - General > Limiting collection: **All Systems** - Membership Rules > Add Rule: **Direct Rule** @@ -1032,15 +1108,15 @@ In the Configuration Manager console, in the **Software Library** workspace, und 1. On PC1, open the Configuration Manager control panel applet by typing the following command in a command prompt: - ```dos - control smscfgrc + ```cmd + control.exe smscfgrc ``` 2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, select **OK**, and then select **OK** again. This method is one that you can use to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. -3. Type the following command at an elevated command prompt to open the Software Center: +3. Enter the following command at an elevated command prompt to open the Software Center: - ```dos + ```cmd C:\Windows\CCM\SCClient.exe ``` @@ -1052,26 +1128,30 @@ In the Configuration Manager console, in the **Software Library** workspace, und > If you don't see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. 5. Select **INSTALL SELECTED** and then select **INSTALL OPERATING SYSTEM**. + 6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. ### Deploy the new computer -1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Start-VM PC4 vmconnect localhost PC4 ``` -1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**. -1. Choose the **Windows 10 Enterprise X64** image. -1. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. -1. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host. +2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**. + +3. Choose the **Windows 10 Enterprise X64** image. + +4. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. + +5. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host. > [!Note] > The next procedure will install a new OS on PC1, and update its status in Configuration Manager and in Active Directory as a Windows 10 device. So you can't return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this action for all VMs. - To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + To save a checkpoint for all VMs, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name DC1 -SnapshotName cm-refresh @@ -1083,14 +1163,17 @@ In the Configuration Manager console, in the **Software Library** workspace, und ### Initiate the computer refresh -1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +1. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. + 2. Right-click the computer account for PC1, point to **Client Notification**, select **Download Computer Policy**, and select **OK** in the popup dialog box. + 3. On PC1, in the notification area, select **New software is available** and then select **Open Software Center**. + 4. In the Software Center, select **Operating Systems**, select **Windows 10 Enterprise x64**, select **Install** and then select **INSTALL OPERATING SYSTEM**. See the following example: ![installOS.](images/configmgr-install-os.png) - The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example: + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the **Monitoring** workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example: ![asset.](images/configmgr-asset.png) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 376a7ff9c4..0998486d71 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -9,12 +9,12 @@ ms.prod: windows-client ms.technology: itpro-deploy ms.localizationpriority: medium ms.topic: tutorial -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Step by step guide: Configure a test lab to deploy Windows 10 -*Applies to* +*Applies to:* - Windows 10 @@ -69,6 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. - **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. + - **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2. Hardware requirements are displayed below: @@ -92,7 +93,9 @@ The lab architecture is summarized in the following diagram: ![PoC diagram.](images/poc.png) - Computer 1 is configured to host four VMs on a private, PoC network. + - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. + - Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. > [!NOTE] @@ -120,8 +123,8 @@ Starting with Windows 8, the host computer's microprocessor must support second 1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - ```console - C:\>systeminfo + ```cmd + C:\>systeminfo.exe ... Hyper-V Requirements: VM Monitor Mode Extensions: Yes @@ -136,8 +139,8 @@ Starting with Windows 8, the host computer's microprocessor must support second You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example: - ```console - C:\>coreinfo -v + ```cmd + C:\>coreinfo.exe -v Coreinfo v3.31 - Dump information on system CPU and memory topology Copyright (C) 2008-2014 Mark Russinovich @@ -205,7 +208,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf The following example displays the procedures described in this section, both before and after downloading files: - ```console + ```cmd C:>mkdir VHD C:>cd VHD C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd @@ -225,13 +228,23 @@ When you have completed installation of Hyper-V on the host computer, begin conf If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM: -1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page. +1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page. + + > [!NOTE] + > The above link may not be available in all locales. + 2. Under **Virtual machine**, choose **IE11 on Win7**. + 3. Under **Select platform**, choose **HyperV (Windows)**. + 4. Select **Download .zip**. The download is 3.31 GB. + 5. Extract the zip file. Three directories are created. + 6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory. + 7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx). + 8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**. If you have a PC available to convert to VM (computer 2): @@ -242,6 +255,7 @@ If you have a PC available to convert to VM (computer 2): > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network. 2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. + 3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). #### Determine the VM generation and partition type @@ -256,6 +270,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. - To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. + - To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: ```powershell @@ -265,7 +280,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: ```powershell -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type +Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type SystemName Caption Type ---------- ------- ---- @@ -276,7 +291,7 @@ USER-PC1 Disk #0, Partition #1 GPT On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: ```powershell -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type +Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type SystemName Caption Type ---------- ------- ---- @@ -293,34 +308,32 @@ Number Friendly Name OperationalStatus Tota 0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT ``` - - -**Choosing a VM generation** +##### Choosing a VM generation The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. -**Windows 7 MBR** +###### Windows 7 MBR |Architecture|VM generation|Procedure| |--- |--- |--- | |32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| |64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| -**Windows 7 GPT** +###### Windows 7 GPT |Architecture|VM generation|Procedure| |--- |--- |--- | |32|N/A|N/A| |64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)| -**Windows 8 or later MBR** +###### Windows 8 or later MBR |Architecture|VM generation|Procedure| |--- |--- |--- | |32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| |64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| -**Windows 8 or later GPT** +###### Windows 8 or later GPT |Architecture|VM generation|Procedure| |--- |--- |--- | @@ -347,7 +360,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS 3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example. > [!IMPORTANT] - > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). + > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Choosing a VM generation](#choosing-a-vm-generation). 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example: @@ -374,13 +387,14 @@ The following tables display the Hyper-V VM generation to choose based on the OS 2. On the computer you wish to convert, open an elevated command prompt and type the following command: - ```console - mountvol s: /s + ```cmd + mountvol.exe s: /s ``` This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). 3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. + 4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected. > [!IMPORTANT] @@ -394,7 +408,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS 6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - ```console + ```cmd C:\vhd>dir /B 2012R2-poc-1.vhd 2012R2-poc-2.vhd @@ -409,6 +423,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. + 3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. > [!NOTE] @@ -524,7 +539,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to > [!NOTE] > The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. -5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. +5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Choosing a VM generation](#choosing-a-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. To create a generation 1 VM (using c:\vhd\w7.vhdx): @@ -574,19 +589,23 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to The VM will automatically boot into Windows Setup. In the PC1 window: 1. Select **Next**. + 2. Select **Repair your computer**. + 3. Select **Troubleshoot**. + 4. Select **Command Prompt**. + 5. Type the following command to save an image of the OS drive: - ```console - dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C + ```cmd + dism.exe /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C ``` 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: - ```console - diskpart + ```cmd + diskpart.exe select disk 0 clean convert MBR @@ -601,14 +620,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 7. Type the following commands to restore the OS image and boot files: - ```console - dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\ - bcdboot c:\windows + ```cmd + dism.exe /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\ + bcdboot.exe c:\windows exit ``` 8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD. + 9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**. + 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: ```powershell @@ -626,8 +647,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to ``` 2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**. + 3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. -4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM. + +4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. + + > [!NOTE] + > Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM. + 5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: ```powershell @@ -690,7 +717,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to The following output should be displayed: - ```powershell + ```console UseRootHint : True Timeout(s) : 3 EnableReordering : True @@ -752,8 +779,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection: - ```console - ipconfig + ```cmd + ipconfig.exe Windows IP Configuration @@ -909,8 +936,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: - ```powershell - ping www.microsoft.com + ```cmd + ping.exe www.microsoft.com ``` If you see "Ping request couldn't find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command. @@ -924,8 +951,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK): - ```powershell - PS C:\> ping www.microsoft.com + ```cmd + ping www.microsoft.com Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data: Reply from 23.222.146.170: bytes=32 time=3ms TTL=51 @@ -943,7 +970,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: ```powershell - runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm" + runas.exe /noprofile /env /user:administrator@contoso.com "cmd.exe /c slmgr -rearm" Restart-Computer ``` @@ -963,7 +990,7 @@ Use the following procedures to verify that the PoC environment is configured pr Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com Get-DhcpServerInDC Get-DhcpServerv4Statistics - ipconfig /all + ipconfig.exe /all ``` **Get-Service** displays a status of "Running" for all three services. @@ -988,8 +1015,8 @@ Use the following procedures to verify that the PoC environment is configured pr Get-Service DNS,RemoteAccess Get-DnsServerForwarder Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com - ipconfig /all - netsh int ipv4 show address + ipconfig.exe /all + netsh.exe int ipv4 show address ``` **Get-Service** displays a status of "Running" for both services. @@ -1004,38 +1031,38 @@ Use the following procedures to verify that the PoC environment is configured pr 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: - ```powershell - whoami - hostname - nslookup www.microsoft.com - ping -n 1 dc1.contoso.com - tracert www.microsoft.com + ```cmd + whoami.exe + hostname.exe + nslookup.exe www.microsoft.com + ping.exe -n 1 dc1.contoso.com + tracert.exe www.microsoft.com ``` - **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed. + **whoami.exe** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed. - **hostname** displays the name of the local computer, for example W7PC-001. + **hostname.exe** displays the name of the local computer, for example W7PC-001. - **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`. + **nslookup.exe** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`. - **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target. + **ping.exe** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target. - **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. + **tracert.exe** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. ## Appendix B: Terminology used in this guide |Term|Definition| |--- |--- | -|GPT|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.| -|Hyper-V|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.| -|Hyper-V host|The computer where Hyper-V is installed.| -|Hyper-V Manager|The user-interface console used to view and configure Hyper-V.| -|MBR|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.| -|Proof of concept (PoC)|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.| -|Shadow copy|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.| -|Virtual machine (VM)|A VM is a virtual computer with its own operating system, running on the Hyper-V host.| -|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.| -|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.| +|**GPT**|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.| +|**Hyper-V**|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.| +|**Hyper-V host**|The computer where Hyper-V is installed.| +|**Hyper-V Manager**|The user-interface console used to view and configure Hyper-V.| +|**MBR**|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.| +|**Proof of concept (PoC)**|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.| +|**Shadow copy**|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.| +|**Virtual machine (VM)**|A VM is a virtual computer with its own operating system, running on the Hyper-V host.| +|**Virtual switch**|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.| +|**VM snapshot**|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.| ## Next steps diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index e5ceaf1248..7bfe334519 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -9,13 +9,13 @@ ms.prod: windows-client ms.collection: - M365-modern-desktop ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Switch to Windows 10 Pro or Enterprise from S mode -We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. +We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. Many other transformations are possible depending on which version and edition of Windows 10 you're starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means: @@ -37,20 +37,26 @@ Many other transformations are possible depending on which version and edition o | | Home | Not by any method | Not by any method | Not by any method | Use the following information to switch to Windows 10 Pro through the Microsoft Store. + > [!IMPORTANT] > While it's free to switch to Windows 10 Pro, it's not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. ## Switch one device through the Microsoft Store + Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device. Note these differences affecting switching modes in various releases of Windows 10: - In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible. -- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. -- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. -1. Sign into the Microsoft Store using your Microsoft account. +- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. + +- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. + +1. Sign into the Microsoft Store using your Microsoft account. + 2. Search for "S mode". + 3. In the offer, select **Buy**, **Get**, or **Learn more.** You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro. @@ -60,13 +66,14 @@ You'll be prompted to save your files before the switch starts. Follow the promp Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE. Switching out of S mode gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle. 1. Start Microsoft Intune. -2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**. + +2. Navigate to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch**. + 3. Follow the instructions to complete the switch. ## Block users from switching -You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. -To set this policy, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. +You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. To set this policy, go to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. ## S mode management with CSPs @@ -77,4 +84,4 @@ In addition to using Microsoft Intune or another modern device management tool t [FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
    [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
    [Windows 10 Pro Education](/education/windows/test-windows10s-for-edu)
    -[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune) \ No newline at end of file +[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 29d62e08fa..af9938ad6a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -13,7 +13,7 @@ ms.collection: search.appverid: - MET150 ms.topic: conceptual -ms.date: 10/31/2022 +ms.date: 11/23/2022 appliesto: - ✅ Windows 10 - ✅ Windows 11 @@ -98,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac > The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). > [!IMPORTANT] -> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). +> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements: @@ -144,7 +144,7 @@ You can benefit by moving to Windows as an online service in the following ways: > [!NOTE] > The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions. -The device is Azure AD-joined from **Settings > Accounts > Access work or school**. +The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**. You assign Windows 10 Enterprise to a user: diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index f2fce638d0..f38cf33ebe 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -6,7 +6,7 @@ ms.author: frankroj manager: aaroncz ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.topic: article ms.technology: itpro-deploy --- @@ -19,50 +19,50 @@ In previous releases of Windows, the Windows ADK docs were published on both Tec Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center. -### Create a Windows image using command-line tools +## Create a Windows image using command-line tools [DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images. Here are some things you can do with DISM: -- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) -- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image) -- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism) -- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) -- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) -- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism) -- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism) +- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) +- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image) +- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism) +- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) +- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) +- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism) +- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism) [Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation. Here are some things you can do with Sysprep: -- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation) -- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) -- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep) +- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation) +- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) +- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep) [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system. Here are ways you can create a WinPE image: -- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) -- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) +- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) +- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems. Here are some things you can do with Windows RE: -- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re) -- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) +- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re) +- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) [Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation. Here are some things you can do with Windows SIM: -- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) -- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file) -- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file) -- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file) +- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) +- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file) +- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file) +- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file) For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center. @@ -72,12 +72,12 @@ Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/wi Here are some things you can do with Windows ICD: -- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) -- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) +- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) +- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) ### IT Pro Windows deployment tools There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet: -- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) \ No newline at end of file +- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) +- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 01a4100390..854b107c86 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -14,9 +14,7 @@ msreviewer: hathind # Fix issues found by the Readiness assessment tool -Seeing issues with your tenant? This article details how to remediate issues found with your tenant. - -If you need more assistance with tenant enrollment, you can submit a [tenant enrollment support request](#submit-a-support-request). +Seeing issues with your tenant? This article details how to remediate issues found with your tenant. ## Check results @@ -72,27 +70,3 @@ Windows Autopatch requires the following licenses: | Result | Meaning | | ----- | ----- | | Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | - -## Submit a support request - -> [!IMPORTANT] -> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues. - -If you need more assistance with tenant enrollment, you can submit support tickets to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. - -**To submit a new support request:** - -1. If the Readiness assessment tool fails, remediation steps can be found by selecting **View details** under **Management settings** and then selecting the individual check. The **Contact Support** button will be available below remediation instructions in the fly-in-pane. -2. Enter your question(s) and/or a description of the problem. -3. Review all the information you provided for accuracy. -4. When you're ready, select **Create**. - -### Manage an active support request - -The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request. - -**To view all your active pre-enrollment support requests:** - -1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. -1. In the **Windows Autopatch** section, select **Tenant Enrollment**. -1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details. diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml index edec9d080e..567e5d62a8 100644 --- a/windows/deployment/windows-autopilot/index.yml +++ b/windows/deployment/windows-autopilot/index.yml @@ -6,12 +6,10 @@ summary: 'Note: Windows Autopilot documentation has moved! A few more resources metadata: title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-deploy ms.collection: - - windows-10 - highpri author: frankroj ms.author: frankroj diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index d939130747..b6ac225f0e 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -6,7 +6,7 @@ ms.author: frankroj author: frankroj ms.prod: windows-client ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- @@ -32,13 +32,13 @@ DISM is one of the deployment tools included in the Windows ADK and is used for DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source: -``` syntax +```cmd Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess ``` In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` @@ -55,15 +55,15 @@ USMT is a backup and restore tool that allows you to migrate user state, data, a USMT includes several command-line tools, the most important of which are ScanState and LoadState: -- **ScanState.exe.** This tool performs the user-state backup. -- **LoadState.exe.** This tool performs the user-state restore. -- **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe. +- **ScanState.exe**: This tool performs the user-state backup. +- **LoadState.exe**: This tool performs the user-state restore. +- **UsmtUtils.exe**: This tool supplements the functionality in ScanState.exe and LoadState.exe. In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates: -- **Migration templates.** The default templates in USMT. -- **Custom templates.** Custom templates that you create. -- **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates. +- **Migration templates**: The default templates in USMT. +- **Custom templates**: Custom templates that you create. +- **Config template**: An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates. ![A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files..](images/mdt-11-fig06.png) @@ -73,60 +73,21 @@ USMT supports capturing data and settings from Windows Vista and later, and rest By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings: -- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. -- Specific file types. -
    - USMT templates migrate the following file types: +- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. - - `.accdb` - - `.ch3` - - `.csv` - - `.dif` - - `.doc*` - - `.dot*` - - `.dqy` - - `.iqy` - - `.mcw` - - `.mdb*` - - `.mpp` - - `.one*` - - `.oqy` - - `.or6` - - `.pot*` - - `.ppa` - - `.pps*` - - `.ppt*` - - `.pre` - - `.pst` - - `.pub` - - `.qdf` - - `.qel` - - `.qph` - - `.qsd` - - `.rqy` - - `.rtf` - - `.scd` - - `.sh3` - - `.slk` - - `.txt` - - `.vl*` - - `.vsd` - - `.wk*` - - `.wpd` - - `.wps` - - `.wq1` - - `.wri` - - `.xl*` - - `.xla` - - `.xlb` - - `.xls*` -
    +- The following specific file types: + + `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*` + + > [!NOTE] + > The asterisk (`*`) stands for zero or more characters. > [!NOTE] > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default. -- Operating system component settings -- Application settings +- Operating system component settings + +- Application settings These settings are migrated by the default MigUser.xml and MigApp.xml templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [USMT technical reference](./usmt/usmt-reference.md). @@ -160,7 +121,7 @@ The updated Volume Activation Management Tool. VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type: -``` syntax +```powershell Get-VamtProduct ``` @@ -178,7 +139,7 @@ A machine booted with the Windows ADK default Windows PE boot image. For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro). -## Windows Recovery Environment +## Windows Recovery Environment Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE. @@ -204,9 +165,9 @@ In some cases, you need to modify TFTP Maximum Block Size settings for performan Also, there are a few new features related to TFTP performance: -- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer. -- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability. -- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size. +- **Scalable buffer management**: Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer. +- **Scalable port management**: Provides the capability to service clients with shared UDP port allocation, increasing scalability. +- **Variable-size transmission window (Variable Windows Extension)**: Improves TFTP performance by allowing the client and server to determine the largest workable window size. ![TFTP changes are now easy to perform.](images/mdt-11-fig12.png) @@ -214,7 +175,6 @@ TFTP changes are now easy to perform. ## Microsoft Deployment Toolkit - MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution. MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to Configuration Manager. @@ -242,16 +202,20 @@ MDOP is a suite of technologies available to Software Assurance customers throug The following components are included in the MDOP suite: -- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10. +- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10. -- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. +- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. -- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation. -- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines. -- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies. +- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation. +- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines. +- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies. For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/). + + ## Windows Server Update Services WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment. @@ -274,32 +240,31 @@ For more information on WSUS, see the [Windows Server Update Services Overview]( ## Unified Extensible Firmware Interface - For many years, BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. ### Introduction to UEFI BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including: -- 16-bit code -- 1-MB address space -- Poor performance on ROM initialization -- MBR maximum bootable disk size of 2.2 TB +- 16-bit code +- 1-MB address space +- Poor performance on ROM initialization +- MBR maximum bootable disk size of 2.2 TB As the replacement to BIOS, UEFI has many features that Windows can and will use. With UEFI, you can benefit from: -- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks. -- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. -- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. -- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. -- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. -- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. -- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. -- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader. +- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks. +- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. +- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. +- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. +- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. +- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. +- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. +- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader. -### Versions +### UEFI versions UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later. @@ -307,10 +272,10 @@ UEFI Version 2.3.1B is the version required for Windows 8 and later logo complia In regard to UEFI, hardware is divided into four device classes: -- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. -- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. -- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. -- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS. +- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. +- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. +- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. +- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS. ### Windows support for UEFI @@ -322,14 +287,14 @@ With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 support There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices: -- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. -- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. -- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. -- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit). +- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. +- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. +- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. +- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit). For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources. ## Related articles [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
    -[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md) \ No newline at end of file +[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index dc624bbd9f..aa9a8e5a92 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -8,12 +8,9 @@ brand: windows metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice # Optional; Remove if no subservice is used. - ms.topic: hub-page # Required + ms.topic: hub-page + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: dougeby #Required; your GitHub user alias, with correct capitalization. ms.author: dougeby #Required; microsoft alias of author; optional team alias. diff --git a/windows/security/docfx.json b/windows/security/docfx.json index b923e0d70f..8484e3b795 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -65,13 +65,13 @@ }, "fileMetadata": { "author":{ - "/identity-protection/hello-for-business/*.md": "paolomatarazzo" + "identity-protection/hello-for-business/**/*.md": "paolomatarazzo" }, "ms.author":{ - "/identity-protection/hello-for-business/*.md": "paoloma" + "identity-protection/hello-for-business/**/*.md": "paoloma" }, "ms.reviewer":{ - "/identity-protection/hello-for-business/*.md": "erikdau" + "identity-protection/hello-for-business/**/*.md": "erikdau" } }, "template": [], diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 9217ed606d..33c5c76b9f 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,37 +1,23 @@ --- title: Multi-factor Unlock description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 03/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Multi-factor Unlock -**Requirements:** -* Windows Hello for Business deployment (Cloud, Hybrid or On-premises) -* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) -* Windows 10, version 1709 or newer, or Windows 11 -* Bluetooth, Bluetooth capable phone - optional +Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. -Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. - -Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices. +Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim. Which organizations can take advantage of Multi-factor unlock? Those who: -* Have expressed that PINs alone do not meet their security needs. -* Want to prevent Information Workers from sharing credentials. -* Want their organizations to comply with regulatory two-factor authentication policy. -* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution. + +- Have expressed that PINs alone do not meet their security needs +- Want to prevent Information Workers from sharing credentials +- Want their organizations to comply with regulatory two-factor authentication policy +- Want to retain the familiar Windows sign-in user experience and not settle for a custom solution You enable multi-factor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index d42b632977..721ddca258 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -1,25 +1,18 @@ --- title: Azure Active Directory join cloud only deployment description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 06/23/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Azure Active Directory join cloud only deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)] + ## Introduction -When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. +When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed. You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. @@ -71,7 +64,11 @@ If you don't use Intune in your organization, then you can disable Windows Hello Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** -To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` These registry settings are pushed from Intune for user policies: diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index edcdd4c52f..485f602211 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -1,22 +1,11 @@ --- title: Having enough Domain Controllers for Windows Hello for Business deployments description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 or later - - ✅ Hybrid or On-Premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index 8f6de2d563..b7b06e3193 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,19 +1,10 @@ --- title: Windows Hello and password changes (Windows) description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium ms.date: 07/27/2017 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello and password changes diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index df42f82380..c9bc5a12f3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -1,21 +1,10 @@ --- title: Windows Hello biometrics in the enterprise (Windows) description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. -ms.prod: windows-client -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/12/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Holographic for Business -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello biometrics in the enterprise diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 20352aa60a..3486c444df 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,25 +1,15 @@ --- title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business) description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/14/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust +# Prepare and Deploy Active Directory Federation Services (AD FS) -Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. +Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS). The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. @@ -120,6 +110,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. ## Review & validate +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Before you continue with the deployment, validate your deployment progress by reviewing the following items: - Confirm the AD FS farm uses the correct database configuration. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 760d69ed2e..bde42599c7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -1,28 +1,21 @@ --- title: Configure Windows Hello for Business Policy settings - certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings. -ms.prod: windows-client ms.collection: - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Configure Windows Hello for Business Policy settings - Certificate Trust -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + +To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows on a computer running Windows 10 or later. On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: * Enable Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index c324b543eb..af56ffb943 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -1,25 +1,17 @@ --- title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business) description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Validate Active Directory prerequisites for cert-trust deployment -The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + +The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. > [!NOTE] > If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow. @@ -30,7 +22,9 @@ Manually updating Active Directory uses the command-line utility **adprep.exe** To locate the schema master role holder, open and command prompt and type: -```Netdom query fsmo | findstr -i “schema”``` +```cmd +netdom.exe query fsmo | findstr.exe -i "schema" +``` ![Netdom example output.](images/hello-cmd-netdom.png) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 38589541ad..28d010fbd8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -1,24 +1,16 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with certificate trust description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Validate and Deploy Multi-Factor Authentication feature +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 15298bba55..4b692280e1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -1,29 +1,21 @@ --- title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Validate and Configure Public Key Infrastructure - Certificate Trust Model +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. ## Deploy an enterprise certificate authority -This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. +This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running Active Directory Certificate Services. ### Lab-based public key infrastructure @@ -34,13 +26,13 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o >[!NOTE] >Never install a certificate authority on a domain controller in a production environment. -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. +1. Open an elevated Windows PowerShell prompt +2. Use the following command to install the Active Directory Certificate Services role ```PowerShell Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools ``` -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration ```PowerShell Install-AdcsCertificationAuthority ``` diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index 0c3dce349f..115a1041e1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -1,24 +1,16 @@ --- title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment description: A guide to on premises, certificate trust Windows Hello for Business deployment. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # On Premises Certificate Trust Deployment +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index e760eecda3..64b6af4819 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -1,25 +1,13 @@ --- title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/15/2022 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Deployment Overview -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 - Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index b64a57e89f..8c8fd3b65d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -1,17 +1,10 @@ --- title: Windows Hello for Business Deployment Known Issues description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues -params: siblings_only -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/03/2021 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Known Deployment Issues @@ -19,12 +12,6 @@ The content of this article is to help troubleshoot and workaround known deploym ## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error -Applies to: - -- Azure AD joined deployments -- Windows 10, version 1803 and later -- Windows 11 - PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now". ### Identifying Azure AD joined PIN Reset Allowed Domains Issue diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index 770fc668c9..6dfcd9f952 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -1,30 +1,21 @@ --- title: Windows Hello for Business Deployment Guide - On Premises Key Deployment description: A guide to on premises, key trust Windows Hello for Business deployment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # On Premises Key Trust Deployment +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment: 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) +3. [Prepare and Deploy Active Directory Federation Services](hello-key-trust-adfs.md) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) 5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 282264de1e..af71e186d2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -1,19 +1,13 @@ --- title: Deploy certificates for remote desktop sign-in description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: erikdau -ms.collection: - - M365-identity-device-management +ms.collection: - ContentEngagementFY23 -ms.topic: how-to +ms.topic: article localizationpriority: medium ms.date: 11/15/2022 -appliesto: - - ✅ Windows 10 and later +appliesto: +- ✅ Windows 10 and later ms.technology: itpro-security --- @@ -61,7 +55,7 @@ Follow these steps to create a certificate template: | *Compatibility* |
    • Clear the **Show resulting changes** check box
    • Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
    • Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
    | | *General* |
    • Specify a **Template display name**, for example *WHfB Certificate Authentication*
    • Set the validity period to the desired value
    • Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
    | | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**| - | *Subject Name* |
    • Select the **Build from this Active Directory** information button if it isn't already selected
    • Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
    • Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
    | + | *Subject Name* |
    • Select the **Build from this Active Directory** information button if it isn't already selected
    • Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
    • Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**

    **Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.| |*Request Handling*|
    • Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
    • Select the **Renew with same key** check box
    • Select **Prompt the user during enrollment**
    | |*Cryptography*|
    • Set the Provider Category to **Key Storage Provider**
    • Set the Algorithm name to **RSA**
    • Set the minimum key size to **2048**
    • Select **Requests must use one of the following providers**
    • Select **Microsoft Software Key Storage Provider**
    • Set the Request hash to **SHA256**
    | |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them| @@ -139,14 +133,14 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c | --- | --- | |*Certificate Type*| User | |*Subject name format* | `CN={{UserPrincipalName}}` | - |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}` + |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `{{UserPrincipalName}}` |*Certificate validity period* | Configure a value of your choosing| |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** |*Key usage*| **Digital Signature**| |*Key size (bits)* | **2048**| |*For Hash algorithm*|**SHA-2**| |*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate| - |*Extended key usage*|
    • *Name:* **Smart Card Logon**
    • *Object Identifier:* `1.3.6.1.4.1.311.20.2.2`
    • *Predefined Values:* **Smart Card Logon**

    • *Name:* **Client Authentication**
    • *Object Identifier:* `1.3.6.1.5.5.7.3.2 `
    • *Predefined Values:* **Client Authentication**
    | + |*Extended key usage*|
    • *Name:* **Smart Card Logon**
    • *Object Identifier:* `1.3.6.1.4.1.311.20.2.2`
    • *Predefined Values:* **Not configured**

    • *Name:* **Client Authentication**
    • *Object Identifier:* `1.3.6.1.5.5.7.3.2 `
    • *Predefined Values:* **Client Authentication**
    | |*Renewal threshold (%)*|Configure a value of your choosing| |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure| @@ -198,4 +192,4 @@ After obtaining a certificate, users can RDP to any Windows devices in the same [MEM-5]: /mem/intune/protect/certificates-trusted-root [MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview -[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest \ No newline at end of file +[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 28bab60966..e1b28aec6f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -1,20 +1,10 @@ --- title: Windows Hello errors during PIN creation (Windows) description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management ms.topic: troubleshooting -ms.localizationpriority: medium ms.date: 05/05/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later --- # Windows Hello errors during PIN creation diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index 32ec0a5204..484985c43d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -1,19 +1,10 @@ --- title: Event ID 300 - Windows Hello successfully created (Windows) description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium ms.date: 07/27/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Event ID 300 - Windows Hello successfully created diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 919393f45a..f4456c7110 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -18,9 +18,8 @@ metadata: ms.topic: faq localizationpriority: medium ms.date: 11/11/2022 - appliesto: - - ✅ Windows 10 - - ✅ Windows 11 + appliesto: + - ✅ Windows 10 and later title: Windows Hello for Business Frequently Asked Questions (FAQ) summary: | @@ -211,7 +210,7 @@ sections: - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? answer: | - No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. + No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. - question: Does Windows Hello for Business prevent the use of simple PINs? answer: | diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index 8ac9d29d9f..a96e6d66b5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -1,16 +1,10 @@ --- title: Conditional Access description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/09/2019 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Conditional access diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 24c66f9452..adfbe58657 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -1,16 +1,10 @@ --- title: Dual Enrollment description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/09/2019 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Dual Enrollment @@ -19,7 +13,6 @@ ms.technology: itpro-security * Hybrid and On-premises Windows Hello for Business deployments * Enterprise joined or Hybrid Azure joined devices -* Windows 10, version 1709 or later * Certificate trust > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index bb878fcd09..6bae92fc12 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,19 +1,10 @@ --- title: Dynamic lock description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 07/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Dynamic lock diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index b50e72d0ef..313ef05f54 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,21 +1,13 @@ --- title: Pin Reset description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 07/29/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # PIN reset @@ -31,11 +23,6 @@ There are two forms of PIN reset: There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. -**Requirements** - -- Reset from settings - Windows 10, version 1703 or later, Windows 11 -- Reset above Lock - Windows 10, version 1709 or later, Windows 11 - Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. @@ -185,7 +172,11 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi - Value: **True** >[!NOTE] -> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. +> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` --- diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 31cdaa7534..2281821bdc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -1,24 +1,15 @@ --- title: Remote Desktop description: Learn how Windows Hello for Business supports using biometrics with remote desktop -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/24/2021 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Remote Desktop **Requirements** - -- Windows 10 -- Windows 11 - Hybrid and On-premises Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index d3817c3e30..27dde9400e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -1,19 +1,10 @@ --- title: How Windows Hello for Business works - Authentication description: Learn about the authentication flow for Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business and Authentication diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index ab75ccda70..6d250848d5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -1,19 +1,10 @@ --- title: How Windows Hello for Business works - Provisioning description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 2/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 719c27216d..ad5eec8634 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -1,19 +1,10 @@ --- title: How Windows Hello for Business works - technology and terms description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 10/08/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Technology and terms @@ -158,7 +149,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t ## Federated environment -Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. +Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. ### Related to federated environment @@ -194,7 +185,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr ## Hybrid deployment -The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust. +The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust. ### Related to hybrid deployment @@ -269,7 +260,7 @@ The Windows Hello for Business on-premises deployment is for organizations that ## Pass-through authentication -Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related to pass-through authentication @@ -283,7 +274,7 @@ Pass-through authentication provides a simple password validation for Azure AD a ## Password hash sync -Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related to password hash sync diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 03559c9e2e..9f3670151c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -1,18 +1,10 @@ --- title: How Windows Hello for Business works description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/05/2018 -appliesto: - - ✅ Windows 10 and later -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # How Windows Hello for Business works in Windows Devices diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index ce22c81e4f..a53b5977d6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -1,25 +1,15 @@ --- title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/14/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Azure Active Directory-join - - ✅ Hybrid Deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business + +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] + ## Prerequisites Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 441651ecdb..1b222da4f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,26 +1,16 @@ --- -title: Using Certificates for AADJ On-premises Single-sign On single sign-on +title: Use Certificates to enable SSO for Azure AD join devices description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Azure AD-join - - ✅ Hybrid Deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Using Certificates for AADJ On-premises Single-sign On +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-aad.md)] + If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 8d2c2d3eb7..1acc6aa213 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,22 +1,15 @@ --- title: Azure AD Join Single Sign-on Deployment description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Azure AD Join Single Sign-on Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] + Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate. ## Key vs. Certificate diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index d68fe373c4..234f257566 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -1,24 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 912929f030..997dbea6e9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -1,24 +1,15 @@ --- title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] + Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index f3bd6859f8..56e0d50918 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -1,24 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Prerequisites description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Prerequisites +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index fbf527bf4b..caf8cfe867 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -1,39 +1,30 @@ --- title: Hybrid Certificate Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/08/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Certificate Trust Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). -This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. +This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. ## Federated Baseline -The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. +The federated baseline helps organizations that have completed their federation with Azure Active Directory and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 191ad50880..fa4284edd5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,24 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 82c2369b6c..748cc46a44 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD) description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ### Creating Security Groups diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 55a8c1fe51..83988357c9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -1,24 +1,15 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Federation Services The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 9340b2698b..5002843385 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -1,25 +1,16 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 0c6e6e4808..98725d74b3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -1,25 +1,16 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI) description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 9665843315..ad8ff6984f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -1,24 +1,14 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] ## Policy Configuration diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 68da777df7..360f679614 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index d9cd8d2065..d8063e6127 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,29 +1,14 @@ --- title: Hybrid cloud Kerberos trust deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 11/1/2022 -appliesto: - - ✅ Windows 10, version 21H2 and later -ms.technology: itpro-security +appliesto: +- ✅ Windows 10, version 21H2 and later +ms.topic: article --- # Hybrid cloud Kerberos trust deployment -This document describes Windows Hello for Business functionalities or scenarios that apply to:\ -✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\ -✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md)\ -✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join) - -
    - ---- +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)] Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 98e359fe83..32f0d91fc6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,24 +1,15 @@ --- title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 60421b9698..e6d1d3275c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -1,24 +1,15 @@ --- title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/04/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 883e949f0a..18df532ca9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -1,24 +1,15 @@ --- title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index a91f625b7b..17e3fe7e61 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -1,24 +1,16 @@ --- title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business) description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites -Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: @@ -33,7 +25,7 @@ The distributed systems on which these technologies were built involved several Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. -A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. +A hybrid Windows Hello for Business deployment requires Azure Active Directory. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. @@ -113,7 +105,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. +Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index addf5f5a20..9ab687ded9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -1,33 +1,24 @@ --- title: Hybrid Key Trust Deployment (Windows Hello for Business) description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Key Trust Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). -This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. +This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline ## -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 85b0134eed..b5c704fb93 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -1,23 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning + +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index eefcf80dae..cb30af909d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -1,24 +1,14 @@ --- title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD) description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory -appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Hybrid deployment -- ✅ Key trust +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 4a6cacda34..f19aab257d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -1,27 +1,18 @@ --- title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + ## Directory Synchronization -In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. ### Group Memberships for the Azure AD Connect Service Account >[!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 7d80a9ac21..a824e822fe 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Azure AD joined key trust Windows Hello for Business description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 04/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 6d891a5b53..333f505d95 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Configuring Hybrid key trust Windows Hello for Business - Group Policy -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] + ## Policy Configuration You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 48fe302c63..5e24b6de2c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,26 +1,17 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business key trust settings +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business. - + > [!IMPORTANT] > Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 1b10ff4e76..37b6335a50 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -1,18 +1,13 @@ --- title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 2/15/2022 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Deployment Prerequisite Overview @@ -21,7 +16,6 @@ This article lists the infrastructure requirements for the different deployment ## Azure AD Cloud Only Deployment -* Windows 10, version 1511 or later, or Windows 11 * Microsoft Azure Account * Azure Active Directory * Azure AD Multifactor Authentication diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index b9d46ebca9..4a8dc18965 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -1,24 +1,15 @@ --- title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business) description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 090e46cd72..c618365d4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -1,28 +1,18 @@ --- title: Configure Windows Hello for Business Policy settings - key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Windows Hello for Business Policy settings - Key Trust -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] -Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information. +To run the Group Policy Management Console from a Windows client, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). + +Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows client installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information. On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index a7cf2a4367..57080612a2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -1,25 +1,16 @@ --- title: Key registration for on-premises deployment of Windows Hello for Business description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Validate Active Directory prerequisites - Key Trust -Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + +Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. > [!NOTE] >There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 42ee5bdd01..046acb3df3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -1,24 +1,15 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with key trust description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Validate and Deploy Multifactor Authentication (MFA) +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + > [!IMPORTANT] > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 5a4c114b16..c3a9226714 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -1,24 +1,15 @@ --- title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Validate and Configure Public Key Infrastructure - Key Trust +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. ## Deploy an enterprise certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index ef4ec913e4..2d83fca7b3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -1,31 +1,21 @@ --- title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri -ms.topic: article -ms.localizationpriority: medium ms.date: 2/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Manage Windows Hello for Business in your organization -You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. +You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices. >[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. -> ->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. +>Windows Hello as a convenience PIN is disabled by default on all domain joined and Azure AD joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. > >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business. @@ -144,9 +134,10 @@ All PIN complexity policies are grouped separately from feature enablement and a >- LowercaseLetters - 1 >- SpecialCharacters - 1 + diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index eb85e9ca3b..87ec948d71 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,25 +1,16 @@ --- title: Windows Hello for Business Overview (Windows) description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: conceptual -localizationpriority: medium appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Holographic for Business -ms.technology: itpro-security +- ✅ Windows 10 and later --- # Windows Hello for Business Overview -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. +Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN. >[!NOTE] > When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 36ba184666..c3c5912b26 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -1,20 +1,10 @@ --- title: Planning a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: conceptual ms.date: 09/16/2020 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Planning a Windows Hello for Business Deployment @@ -189,9 +179,9 @@ Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2 Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. -One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). +One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust). -Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. +Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 78291dadbd..69e4a380e5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -1,19 +1,10 @@ --- title: Prepare people to use Windows Hello (Windows) description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Prepare people to use Windows Hello diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 3a99c148bd..bf6f5a4ea0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -1,19 +1,10 @@ --- title: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 07/26/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Videos ## Overview of Windows Hello for Business and Features diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 68cc9b2ecd..f2ba4fd368 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -1,26 +1,18 @@ --- title: Why a PIN is better than an online password (Windows) -description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva +description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. ms.collection: - M365-identity-device-management - highpri -ms.topic: article -ms.localizationpriority: medium ms.date: 10/23/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Why a PIN is better than an online password -Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. +Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password. diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md index a446e2b52f..6d5ad8dea5 100644 --- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -1,16 +1,10 @@ --- title: Microsoft-compatible security key description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 11/14/2018 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # What is a Microsoft-compatible security key? diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 5c2b1147af..a18a0b3aeb 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,24 +1,15 @@ --- title: Password-less strategy description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management ms.topic: conceptual -localizationpriority: medium ms.date: 05/24/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later --- # Password-less strategy -This article describes Windows' password-less strategy. Learn how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. +This article describes Windows' password-less strategy and how Windows Hello for Business implements this strategy. ## Four steps to password freedom @@ -309,7 +300,7 @@ The following image shows the SCRIL setting for a user in Active Directory Users :::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options."::: -When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level don't expire. The users are effectively password-less because: +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because: - They don't know their password. - Their password is 128 random bits of data and is likely to include non-typable characters. diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md index bf8a6a57bf..366a317f73 100644 --- a/windows/security/identity-protection/hello-for-business/reset-security-key.md +++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md @@ -1,16 +1,10 @@ --- title: Reset-security-key description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 11/14/2018 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # How to reset a Microsoft-compatible security key? > [!Warning] diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 4653d23331..5aa1fcad6a 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -1,17 +1,11 @@ --- title: How Windows Hello for Business works (Windows) description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business. -ms.prod: windows-client -ms.localizationpriority: high -author: paolomatarazzo -ms.author: paoloma ms.date: 10/16/2017 -manager: aaroncz -ms.topic: article appliesto: - ✅ Windows 10 - ✅ Windows 11 -ms.technology: itpro-security +ms.topic: article --- # How Windows Hello for Business works in Windows devices diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 2c22050ab0..502a196109 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -1,13 +1,11 @@ - name: Windows Hello for Business documentation href: index.yml -- name: Overview - items: - - name: Windows Hello for Business Overview - href: hello-overview.md - name: Concepts expanded: true items: - - name: Passwordless Strategy + - name: Windows Hello for Business overview + href: hello-overview.md + - name: Passwordless strategy href: passwordless-strategy.md - name: Why a PIN is better than a password href: hello-why-pin-is-better-than-password.md @@ -15,129 +13,160 @@ href: hello-biometrics-in-enterprise.md - name: How Windows Hello for Business works href: hello-how-it-works.md - - name: Technical Deep Dive - items: - - name: Provisioning - href: hello-how-it-works-provisioning.md - - name: Authentication - href: hello-how-it-works-authentication.md - - name: WebAuthn APIs - href: webauthn-apis.md -- name: How-to Guides +- name: Deployment guides items: - - name: Windows Hello for Business Deployment Overview + - name: Windows Hello for Business deployment overview href: hello-deployment-guide.md - - name: Planning a Windows Hello for Business Deployment + - name: Planning a Windows Hello for Business deployment href: hello-planning-guide.md - - name: Deployment Prerequisite Overview + - name: Deployment prerequisite overview href: hello-identity-verification.md - - name: Prepare people to use Windows Hello - href: hello-prepare-people-to-use.md - - name: Deployment Guides + - name: Cloud-only deployment + href: hello-aad-join-cloud-only-deploy.md + - name: Hybrid deployments items: - - name: Hybrid Cloud Kerberos Trust Deployment + - name: Cloud Kerberos trust deployment href: hello-hybrid-cloud-kerberos-trust.md - - name: Hybrid Azure AD Joined Key Trust + - name: Key trust deployment items: - - name: Hybrid Azure AD Joined Key Trust Deployment + - name: Overview href: hello-hybrid-key-trust.md - name: Prerequisites href: hello-hybrid-key-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-key-new-install.md - - name: Configure Directory Synchronization + - name: Configure directory synchronization href: hello-hybrid-key-trust-dirsync.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-key-trust-devreg.md - name: Configure Windows Hello for Business settings - href: hello-hybrid-key-whfb-settings.md - - name: Sign-in and Provisioning + items: + - name: Overview + href: hello-hybrid-key-whfb-settings.md + - name: Configure Active Directory + href: hello-hybrid-key-whfb-settings-ad.md + - name: Configure Azure AD Connect Sync + href: hello-hybrid-key-whfb-settings-dir-sync.md + - name: Configure PKI + href: hello-hybrid-key-whfb-settings-pki.md + - name: Configure Group Policy settings + href: hello-hybrid-key-whfb-settings-policy.md + - name: Sign-in and provision Windows Hello for Business href: hello-hybrid-key-whfb-provision.md - - name: Hybrid Azure AD Joined Certificate Trust + - name: On-premises SSO for Azure AD joined devices + href: hello-hybrid-aadj-sso.md + - name: Configure Azure AD joined devices for on-premises SSO + href: hello-hybrid-aadj-sso-base.md + - name: Certificate trust deployment items: - - name: Hybrid Azure AD Joined Certificate Trust Deployment + - name: Overview href: hello-hybrid-cert-trust.md - name: Prerequisites href: hello-hybrid-cert-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-cert-new-install.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-cert-trust-devreg.md - name: Configure Windows Hello for Business settings - href: hello-hybrid-cert-whfb-settings.md - - name: Sign-in and Provisioning + items: + - name: Overview + href: hello-hybrid-cert-whfb-settings.md + - name: Configure Active Directory + href: hello-hybrid-cert-whfb-settings-ad.md + - name: Configure Azure AD Connect Sync + href: hello-hybrid-cert-whfb-settings-dir-sync.md + - name: Configure PKI + href: hello-hybrid-cert-whfb-settings-pki.md + - name: Configure AD FS + href: hello-hybrid-cert-whfb-settings-adfs.md + - name: Configure Group Policy settings + href: hello-hybrid-cert-whfb-settings-policy.md + - name: Sign-in and provision Windows Hello for Business href: hello-hybrid-cert-whfb-provision.md - - name: On-premises SSO for Azure AD Joined Devices - items: - - name: On-premises SSO for Azure AD Joined Devices Deployment + - name: On-premises SSO for Azure AD joined devices href: hello-hybrid-aadj-sso.md - - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business + - name: Configure Azure AD joined devices for on-premises SSO href: hello-hybrid-aadj-sso-base.md - - name: Using Certificates for AADJ On-premises Single-sign On + - name: Using certificates for on-premises SSO href: hello-hybrid-aadj-sso-cert.md - - name: On-premises Key Trust + - name: Planning for Domain Controller load + href: hello-adequate-domain-controllers.md + - name: On-premises deployments + items: + - name: Key trust deployment items: - - name: On-premises Key Trust Deployment + - name: Overview href: hello-deployment-key-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-key-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Validate and configure Public Key Infrastructure (PKI) href: hello-key-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and deploy Active Directory Federation Services (AD FS) href: hello-key-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-key-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-key-trust-policy-settings.md - - name: On-premises Certificate Trust + - name: Certificate trust deployment items: - - name: On-premises Certificate Trust Deployment + - name: Overview href: hello-deployment-cert-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-cert-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Validate and configure Public Key Infrastructure (PKI) href: hello-cert-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and Deploy Active Directory Federation Services (AD FS) href: hello-cert-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-cert-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - - name: Azure AD join cloud only deployment - href: hello-aad-join-cloud-only-deploy.md - - name: Managing Windows Hello for Business in your organization - href: hello-manage-in-organization.md - - name: Deploying Certificates to Key Trust Users to Enable RDP - href: hello-deployment-rdp-certs.md - - name: Windows Hello for Business Features - items: - - name: Conditional Access - href: hello-feature-conditional-access.md - - name: PIN Reset - href: hello-feature-pin-reset.md - - name: Dual Enrollment - href: hello-feature-dual-enrollment.md - - name: Dynamic Lock - href: hello-feature-dynamic-lock.md - - name: Multi-factor Unlock - href: feature-multifactor-unlock.md - - name: Remote Desktop - href: hello-feature-remote-desktop.md - - name: Troubleshooting - items: - - name: Known Deployment Issues - href: hello-deployment-issues.md - - name: Errors During PIN Creation - href: hello-errors-during-pin-creation.md - - name: Event ID 300 - Windows Hello successfully created - href: hello-event-300.md - - name: Windows Hello and password changes - href: hello-and-password-changes.md + - name: Planning for Domain Controller load + href: hello-adequate-domain-controllers.md + - name: Deploy certificates for remote desktop (RDP) sign-in + href: hello-deployment-rdp-certs.md +- name: How-to Guides + items: + - name: Prepare people to use Windows Hello + href: hello-prepare-people-to-use.md + - name: Manage Windows Hello for Business in your organization + href: hello-manage-in-organization.md +- name: Windows Hello for Business features + items: + - name: Conditional access + href: hello-feature-conditional-access.md + - name: PIN Reset + href: hello-feature-pin-reset.md + - name: Dual Enrollment + href: hello-feature-dual-enrollment.md + - name: Dynamic Lock + href: hello-feature-dynamic-lock.md + - name: Multi-factor Unlock + href: feature-multifactor-unlock.md + - name: Remote desktop (RDP) sign-in + href: hello-feature-remote-desktop.md +- name: Troubleshooting + items: + - name: Known deployment issues + href: hello-deployment-issues.md + - name: Errors during PIN creation + href: hello-errors-during-pin-creation.md + - name: Event ID 300 - Windows Hello successfully created + href: hello-event-300.md + - name: Windows Hello and password changes + href: hello-and-password-changes.md - name: Reference items: - - name: Technology and Terminology + - name: How Windows Hello for Business provisioning works + href: hello-how-it-works-provisioning.md + - name: How Windows Hello for Business authentication works + href: hello-how-it-works-authentication.md + - name: WebAuthn APIs + href: webauthn-apis.md + - name: Technology and terminology href: hello-how-it-works-technology.md - name: Frequently Asked Questions (FAQ) href: hello-faq.yml - name: Windows Hello for Business videos href: hello-videos.md + diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md index afac158d28..534fddf6ee 100644 --- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -1,19 +1,10 @@ --- title: WebAuthn APIs description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # WebAuthn APIs for passwordless authentication on Windows diff --git a/windows/security/includes/hello-cloud.md b/windows/security/includes/hello-cloud.md new file mode 100644 index 0000000000..c40ed1027c --- /dev/null +++ b/windows/security/includes/hello-cloud.md @@ -0,0 +1,7 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [cloud](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-deployment)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-cert-trust-aad.md b/windows/security/includes/hello-hybrid-cert-trust-aad.md new file mode 100644 index 0000000000..e80912d8b9 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust-aad.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-cert-trust-ad.md b/windows/security/includes/hello-hybrid-cert-trust-ad.md new file mode 100644 index 0000000000..4ef97bd233 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust-ad.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-cert-trust.md b/windows/security/includes/hello-hybrid-cert-trust.md new file mode 100644 index 0000000000..77a897f264 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/includes/hello-hybrid-cloudkerb-trust.md new file mode 100644 index 0000000000..4f68be791b --- /dev/null +++ b/windows/security/includes/hello-hybrid-cloudkerb-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [cloud Kerberos trust](../identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-key-trust-ad.md b/windows/security/includes/hello-hybrid-key-trust-ad.md new file mode 100644 index 0000000000..68521a5a14 --- /dev/null +++ b/windows/security/includes/hello-hybrid-key-trust-ad.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-key-trust.md b/windows/security/includes/hello-hybrid-key-trust.md new file mode 100644 index 0000000000..fdb7466014 --- /dev/null +++ b/windows/security/includes/hello-hybrid-key-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
    + +--- diff --git a/windows/security/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/includes/hello-hybrid-keycert-trust-aad.md new file mode 100644 index 0000000000..a8d82200d3 --- /dev/null +++ b/windows/security/includes/hello-hybrid-keycert-trust-aad.md @@ -0,0 +1,7 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust), [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join) +
    + +--- diff --git a/windows/security/includes/hello-on-premises-cert-trust.md b/windows/security/includes/hello-on-premises-cert-trust.md new file mode 100644 index 0000000000..2cc01ac3ac --- /dev/null +++ b/windows/security/includes/hello-on-premises-cert-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** Active Directory domain join + +
    + +--- diff --git a/windows/security/includes/hello-on-premises-key-trust.md b/windows/security/includes/hello-on-premises-key-trust.md new file mode 100644 index 0000000000..cd6241fa72 --- /dev/null +++ b/windows/security/includes/hello-on-premises-key-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** Active Directory domain join + +
    + +--- diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml index 715efe3b61..6b2f45605c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml @@ -3,8 +3,8 @@ metadata: title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml index 114aaf78b1..37e6318217 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml @@ -4,7 +4,8 @@ metadata: description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?" ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml index 6e5641e175..353a01de5b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -4,7 +4,8 @@ metadata: description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml index 4ab3545f1c..ed40610b48 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml @@ -3,8 +3,8 @@ metadata: title: BitLocker Key Management FAQ (Windows 10) description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml index a9ce4e3c24..697e19e565 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -2,7 +2,8 @@ metadata: title: BitLocker Network Unlock FAQ (Windows 10) description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments. - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index 523a647b0c..cb38246cbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -3,8 +3,8 @@ metadata: title: BitLocker overview and requirements FAQ (Windows 10) description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml index 6a6cdc9974..e9cb42a381 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml @@ -3,8 +3,8 @@ metadata: title: BitLocker Security FAQ (Windows 10) description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?" ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml index a1532c98f9..1045a942fe 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml @@ -3,9 +3,9 @@ metadata: title: BitLocker To Go FAQ (Windows 10) description: "Learn more about BitLocker To Go" ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: + ms.prod: windows-client + ms.technology: itpro-security ms.author: frankroj - ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml index f0557ad08a..ea7c705f38 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml @@ -2,7 +2,8 @@ metadata: title: BitLocker Upgrading FAQ (Windows 10) description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?" - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml index 8d97492f5a..e688d0fd10 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml @@ -3,8 +3,8 @@ metadata: title: Using BitLocker with other programs FAQ (Windows 10) description: Learn how to integrate BitLocker with other software on a device. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 3de0d6acc5..2416040af7 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -14,7 +14,7 @@ ms.author: vinpa ms.technology: itpro-security --- -# 4688(S): A new process has been created. +# 4688(S): A new process has been created. (Windows 10) Event 4688 illustration diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 314595bed9..b322223819 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -52,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a ### Enable HVCI using Intune -Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](/windows/client-management/mdm/applocker-csp). +Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure the settings in Windows by using the [settings catalog](/mem/intune/configuration/settings-catalog). ### Enable HVCI using Group Policy @@ -204,9 +204,6 @@ Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related pro Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard ``` -> [!NOTE] -> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11. - > [!NOTE] > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 7118a806da..e9a396f602 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -2,17 +2,17 @@ metadata: title: FAQ - Microsoft Defender Application Guard (Windows 10) description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. - ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: denisebmsft - ms.author: deniseb + ms.prod: windows-client + ms.technology: itpro-security + author: vinaypamnani-msft + ms.author: vinpa ms.reviewer: manager: aaroncz ms.custom: asr - ms.technology: windows-sec ms.topic: faq title: Frequently asked questions - Microsoft Defender Application Guard summary: | diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 4c6c5ddd2d..39110f95c1 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -33,9 +33,9 @@ The **Microsoft network server: Amount of idle time required before suspending s ### Possible values -- A user-defined number of minutes from 0 through 99,999 +- A user-defined number of minutes from 0 through 99,999. - For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy. + For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999 (8 business hours per day), which is 208 days. In effect, this value disables the policy. - Not defined diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 3781352906..fb87a0fd40 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements: -1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive. +1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive. The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password. diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 89e08b0200..cae3c81088 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -43,6 +43,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr 4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**. + :::image type="content" alt-text="Screenshot that shows Copy Paste GPO." source="images/grouppolicy-paste.png"::: + 5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler. 6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*. diff --git a/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png new file mode 100644 index 0000000000..ba2de148f1 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png differ diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 7f5b3c7832..58fb302ed7 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -229,12 +229,14 @@ With the Visual Studio Code installer script already mapped into the sandbox, th ### VSCodeInstall.cmd +Download vscode to `downloads` folder and run from `downloads` folder + ```batch REM Download Visual Studio Code -curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe +curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe REM Install and run Visual Studio Code -C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes +C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes ``` ### VSCode.wsb @@ -244,15 +246,17 @@ C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes C:\SandboxScripts + C:\Users\WDAGUtilityAccount\Downloads\sandbox true C:\CodingProjects + C:\Users\WDAGUtilityAccount\Documents\Projects false - C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd + C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd ``` diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index cbb7d6dbb6..e72a69b1d0 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -84,7 +84,7 @@ The following configuration requirements apply to VMs running Windows 11. - Generation: 2 \* - Storage: 64 GB or greater - Security: - - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM and secure boot enabled + - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled - Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager) - General settings: Secure boot capable, virtual TPM enabled - Memory: 4 GB or greater