deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 00:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr

Browse Source
This commit is contained in:
Nidhi Doshi 2024-10-02 13:49:37 -07:00
commit e07829a847
346 changed files with 11373 additions and 6097 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/Stale.yml vendored
View File

@ -13,7 +13,7 @@ jobs:
stale:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-Stale.yml@workflows-prod
with:
RunDebug: true
RunDebug: false
RepoVisibility: ${{ github.repository_visibility }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}

4631
.openpublishing.redirection.windows-security.json
View File

File diff suppressed because it is too large Load Diff

6
includes/licensing/windows-defender-application-control-wdac.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/18/2023
ms.date: 09/23/2024
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows Defender Application Control (WDAC):
The following table lists the Windows editions that support App Control for Business:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Windows Defender Application Control (WDAC) license entitlements are granted by the following licenses:
App Control license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

2
windows/application-management/index.yml
View File

@ -9,7 +9,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 06/28/2024
ms.date: 09/27/2024
ms.topic: landing-page
ms.service: windows-client
ms.subservice: itpro-apps

20
windows/application-management/per-user-services-in-windows.md
View File

@ -4,7 +4,7 @@ description: Learn about per-user services, how to change the template service s
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 12/22/2023
ms.date: 10/01/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps
@ -229,14 +229,14 @@ If you can't use group policy preferences to manage the per-user services, you c
1. The following example includes multiple commands that disable the specified Windows services by changing their **Start** value in the Windows Registry to `4`:
```cmd
REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
```
```cmd
REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
```
#### Example 2: Use the Registry Editor user interface to edit the registry
@ -248,7 +248,7 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
1. Change the **Value data** to `4`.
:::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
:::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
#### Example 3: Prevent the creation of per-user services

2
windows/application-management/sideload-apps-in-windows.md
View File

@ -4,7 +4,7 @@ description: Learn how to sideload line-of-business (LOB) apps in Windows client
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 12/22/2023
ms.date: 09/27/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps

8
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -11,9 +11,9 @@ ms.date: 01/31/2024
<!-- ApplicationControl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
App Control for Business policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/application-security/application-control/app-control-for-business/design/deploy-multiple-appcontrol-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
Existing App Control for Business policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although App Control policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
<!-- ApplicationControl-Editable-End -->
<!-- ApplicationControl-Tree-Begin -->
@ -861,7 +861,7 @@ The following table provides the result of this policy based on different values
## Microsoft Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy App Control for Business policies by using Microsoft Intune](/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune).
## Generic MDM Server Usage Guidance
@ -1014,7 +1014,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Co
### Setup for using the WMI Bridge
1. Convert your WDAC policy to Base64.
1. Convert your App Control policy to Base64.
2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface:

6
windows/client-management/mdm/clouddesktop-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>2.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -139,7 +139,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621.3374</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>

4
windows/client-management/mdm/configuration-service-provider-ddf.md
View File

@ -13,7 +13,7 @@ This article lists the OMA DM device description framework (DDF) files for vario
As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
- [DDF v2 Files, May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip)
- [DDF v2 Files, September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip)
## DDF v2 schema
@ -574,7 +574,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo
## Older DDF files
You can download the older DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10 and 11 May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip)
- [Download all the DDF files for Windows 10 and 11 September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip)
- [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)

6
windows/client-management/mdm/defender-csp.md
View File

@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
ms.date: 06/21/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1289,7 +1289,7 @@ Define data duplication remote location for Device Control. When configuring thi
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-Begin -->
<!-- Description-Source-DDF -->
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-Begin -->
@ -1304,7 +1304,7 @@ Configure how many days can pass before an aggressive quick scan is triggered. T
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[7-60]` |
| Default Value | 25 |
| Default Value | 30 |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-Begin -->

6
windows/client-management/mdm/defender-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2373,8 +2373,8 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.</Description>
<DefaultValue>30</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.</Description>
<DFFormat>
<int />
</DFFormat>

4
windows/client-management/mdm/firewall-csp.md
View File

@ -1,7 +1,7 @@
---
title: Firewall CSP
description: Learn more about the Firewall CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2221,7 +2221,7 @@ Specifies the friendly name of the firewall rule.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
Specifies one App Control tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Editable-Begin -->

16
windows/client-management/mdm/laps-csp.md
View File

@ -1,7 +1,7 @@
---
title: LAPS CSP
description: Learn more about the LAPS CSP.
ms.date: 06/21/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 06/21/2024
<!-- LAPS-Begin -->
# LAPS CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- LAPS-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
@ -432,7 +430,7 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-Begin -->
@ -488,7 +486,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-Begin -->
@ -543,7 +541,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-Begin -->
@ -587,7 +585,7 @@ If not specified, this setting will default to "WLapsAdmin".
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-Begin -->
@ -643,7 +641,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-Begin -->
@ -759,7 +757,7 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-PassphraseLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-PassphraseLength-Applicability-End -->
<!-- Device-Policies-PassphraseLength-OmaUri-Begin -->

14
windows/client-management/mdm/laps-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -327,7 +327,7 @@ This setting has a maximum allowed value of 10 words.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
@ -690,7 +690,7 @@ If not specified, this setting defaults to False.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -736,7 +736,7 @@ If not specified, this setting will default to 1.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -791,7 +791,7 @@ If not specified, this setting will default to "WLapsAdmin".</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:DependencyBehavior>
@ -839,7 +839,7 @@ If not specified, this setting defaults to False.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -897,7 +897,7 @@ If not specified, this setting defaults to False.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">

4
windows/client-management/mdm/personalization-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Personalization DDF file
description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the P
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>

1
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -137,7 +137,6 @@ ms.date: 02/03/2023
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates) <sup>11</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates) <sup>11</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod) <sup>11</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot) <sup>11</sup>
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds)

169
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -17,6 +17,7 @@ This article lists the policies that are applicable for Windows Insider Preview
- [TurnOffInstallTracing](policy-csp-appdeviceinventory.md#turnoffinstalltracing)
- [TurnOffAPISamping](policy-csp-appdeviceinventory.md#turnoffapisamping)
- [TurnOffApplicationFootprint](policy-csp-appdeviceinventory.md#turnoffapplicationfootprint)
- [TurnOffWin32AppBackup](policy-csp-appdeviceinventory.md#turnoffwin32appbackup)
## ClientCertificateInstall CSP
@ -28,15 +29,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [EnablePhysicalDeviceAccessOnErrorScreens](clouddesktop-csp.md#userenablephysicaldeviceaccessonerrorscreens)
- [EnableBootToCloudSharedPCMode](clouddesktop-csp.md#deviceenableboottocloudsharedpcmode)
## Cryptography
- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md#configureellipticcurvecryptography)
- [ConfigureSystemCryptographyForceStrongKeyProtection](policy-csp-cryptography.md#configuresystemcryptographyforcestrongkeyprotection)
- [OverrideMinimumEnabledTLSVersionClient](policy-csp-cryptography.md#overrideminimumenabledtlsversionclient)
- [OverrideMinimumEnabledTLSVersionServer](policy-csp-cryptography.md#overrideminimumenabledtlsversionserver)
- [OverrideMinimumEnabledDTLSVersionClient](policy-csp-cryptography.md#overrideminimumenableddtlsversionclient)
- [OverrideMinimumEnabledDTLSVersionServer](policy-csp-cryptography.md#overrideminimumenableddtlsversionserver)
## DeclaredConfiguration CSP
- [Document](declaredconfiguration-csp.md#hostcompletedocumentsdociddocument)
@ -47,23 +39,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
## DesktopAppInstaller
- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md#enablewindowspackagemanagercommandlineinterfaces)
- [EnableWindowsPackageManagerConfiguration](policy-csp-desktopappinstaller.md#enablewindowspackagemanagerconfiguration)
## DeviceLock
- [MaximumPasswordAge](policy-csp-devicelock.md#maximumpasswordage)
- [ClearTextPassword](policy-csp-devicelock.md#cleartextpassword)
- [PasswordComplexity](policy-csp-devicelock.md#passwordcomplexity)
- [PasswordHistorySize](policy-csp-devicelock.md#passwordhistorysize)
- [AccountLockoutPolicy](policy-csp-devicelock.md#accountlockoutpolicy)
- [AllowAdministratorLockout](policy-csp-devicelock.md#allowadministratorlockout)
- [MinimumPasswordLength](policy-csp-devicelock.md#minimumpasswordlength)
- [MinimumPasswordLengthAudit](policy-csp-devicelock.md#minimumpasswordlengthaudit)
- [RelaxMinimumPasswordLengthLimits](policy-csp-devicelock.md#relaxminimumpasswordlengthlimits)
## DevicePreparation CSP
- [PageEnabled](devicepreparation-csp.md#pageenabled)
@ -84,12 +59,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [Cadence](dmclient-csp.md#deviceproviderprovideridconfigrefreshcadence)
- [PausePeriod](dmclient-csp.md#deviceproviderprovideridconfigrefreshpauseperiod)
## Experience
- [AllowScreenRecorder](policy-csp-experience.md#allowscreenrecorder)
- [EnableOrganizationalMessages](policy-csp-experience.md#enableorganizationalmessages)
- [DisableTextTranslation](policy-csp-experience.md#disabletexttranslation)
## FileSystem
- [EnableDevDrive](policy-csp-filesystem.md#enabledevdrive)
@ -99,13 +68,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)
## HumanPresence
- [ForceDisableWakeWhenBatterySaverOn](policy-csp-humanpresence.md#forcedisablewakewhenbatterysaveron)
- [ForceAllowWakeWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowwakewhenexternaldisplayconnected)
- [ForceAllowLockWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowlockwhenexternaldisplayconnected)
- [ForceAllowDimWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowdimwhenexternaldisplayconnected)
## InternetExplorer
- [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@ -121,49 +83,8 @@ This article lists the policies that are applicable for Windows Insider Preview
- [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation)
- [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages)
## LAPS CSP
- [PassphraseLength](laps-csp.md#policiespassphraselength)
- [AutomaticAccountManagementEnabled](laps-csp.md#policiesautomaticaccountmanagementenabled)
- [AutomaticAccountManagementTarget](laps-csp.md#policiesautomaticaccountmanagementtarget)
- [AutomaticAccountManagementNameOrPrefix](laps-csp.md#policiesautomaticaccountmanagementnameorprefix)
- [AutomaticAccountManagementEnableAccount](laps-csp.md#policiesautomaticaccountmanagementenableaccount)
- [AutomaticAccountManagementRandomizeName](laps-csp.md#policiesautomaticaccountmanagementrandomizename)
## LocalPoliciesSecurityOptions
- [Audit_AuditTheUseOfBackupAndRestoreprivilege](policy-csp-localpoliciessecurityoptions.md#audit_audittheuseofbackupandrestoreprivilege)
- [Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings](policy-csp-localpoliciessecurityoptions.md#audit_forceauditpolicysubcategorysettingstooverrideauditpolicycategorysettings)
- [Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits](policy-csp-localpoliciessecurityoptions.md#audit_shutdownsystemimmediatelyifunabletologsecurityaudits)
- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md#devices_restrictfloppyaccesstolocallyloggedonuseronly)
- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptorsignsecurechanneldataalways)
- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptsecurechanneldatawhenpossible)
- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallysignsecurechanneldatawhenpossible)
- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md#domainmember_disablemachineaccountpasswordchanges)
- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md#domainmember_maximummachineaccountpasswordage)
- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md#domainmember_requirestrongsessionkey)
- [InteractiveLogon_MachineAccountLockoutThreshold](policy-csp-localpoliciessecurityoptions.md#interactivelogon_machineaccountlockoutthreshold)
- [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache)
- [InteractiveLogon_PromptUserToChangePasswordBeforeExpiration](policy-csp-localpoliciessecurityoptions.md#interactivelogon_promptusertochangepasswordbeforeexpiration)
- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_amountofidletimerequiredbeforesuspendingsession)
- [MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_disconnectclientswhenlogonhoursexpire)
- [MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_serverspntargetnamevalidationlevel)
- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md#networkaccess_allowanonymoussidornametranslation)
- [NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication](policy-csp-localpoliciessecurityoptions.md#networkaccess_donotallowstorageofpasswordsandcredentialsfornetworkauthentication)
- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md#networkaccess_leteveryonepermissionsapplytoanonymoususers)
- [NetworkAccess_NamedPipesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_namedpipesthatcanbeaccessedanonymously)
- [NetworkAccess_RemotelyAccessibleRegistryPaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypaths)
- [NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypathsandsubpaths)
- [NetworkAccess_SharesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharesthatcanbeaccessedanonymously)
- [NetworkAccess_SharingAndSecurityModelForLocalAccounts](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharingandsecuritymodelforlocalaccounts)
- [NetworkSecurity_AllowLocalSystemNULLSessionFallback](policy-csp-localpoliciessecurityoptions.md#networksecurity_allowlocalsystemnullsessionfallback)
- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#networksecurity_forcelogoffwhenlogonhoursexpire)
- [NetworkSecurity_LDAPClientSigningRequirements](policy-csp-localpoliciessecurityoptions.md#networksecurity_ldapclientsigningrequirements)
- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowautomaticadministrativelogon)
- [RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowfloppycopyandaccesstoalldrivesandallfolders)
- [SystemCryptography_ForceStrongKeyProtection](policy-csp-localpoliciessecurityoptions.md#systemcryptography_forcestrongkeyprotection)
- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md#systemobjects_requirecaseinsensitivityfornonwindowssubsystems)
- [SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects](policy-csp-localpoliciessecurityoptions.md#systemobjects_strengthendefaultpermissionsofinternalsystemobjects)
- [UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_behavioroftheelevationpromptforadministratorprotection)
- [UserAccountControl_TypeOfAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_typeofadminapprovalmode)
@ -174,23 +95,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
- [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
## MSSecurityGuide
- [NetBTNodeTypeConfiguration](policy-csp-mssecurityguide.md#netbtnodetypeconfiguration)
## NetworkListManager
- [AllNetworks_NetworkIcon](policy-csp-networklistmanager.md#allnetworks_networkicon)
- [AllNetworks_NetworkLocation](policy-csp-networklistmanager.md#allnetworks_networklocation)
- [AllNetworks_NetworkName](policy-csp-networklistmanager.md#allnetworks_networkname)
- [IdentifyingNetworks_LocationType](policy-csp-networklistmanager.md#identifyingnetworks_locationtype)
- [UnidentifiedNetworks_LocationType](policy-csp-networklistmanager.md#unidentifiednetworks_locationtype)
- [UnidentifiedNetworks_UserPermissions](policy-csp-networklistmanager.md#unidentifiednetworks_userpermissions)
## Notifications
- [DisableAccountNotifications](policy-csp-notifications.md#disableaccountnotifications)
## PassportForWork CSP
- [EnableWindowsHelloProvisioningForSecurityKeys](passportforwork-csp.md#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@ -202,77 +106,15 @@ This article lists the policies that are applicable for Windows Insider Preview
## RemoteDesktopServices
- [LimitServerToClientClipboardRedirection](policy-csp-remotedesktopservices.md#limitservertoclientclipboardredirection)
- [LimitClientToServerClipboardRedirection](policy-csp-remotedesktopservices.md#limitclienttoserverclipboardredirection)
- [DisconnectOnLockLegacyAuthn](policy-csp-remotedesktopservices.md#disconnectonlocklegacyauthn)
- [DisconnectOnLockMicrosoftIdentityAuthn](policy-csp-remotedesktopservices.md#disconnectonlockmicrosoftidentityauthn)
- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
## Search
- [ConfigureSearchOnTaskbarMode](policy-csp-search.md#configuresearchontaskbarmode)
## SettingsSync
- [DisableAccessibilitySettingSync](policy-csp-settingssync.md#disableaccessibilitysettingsync)
- [DisableLanguageSettingSync](policy-csp-settingssync.md#disablelanguagesettingsync)
## Sudo
- [EnableSudo](policy-csp-sudo.md#enablesudo)
## SurfaceHub CSP
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
## System
- [HideUnsupportedHardwareNotifications](policy-csp-system.md#hideunsupportedhardwarenotifications)
## SystemServices
- [ConfigureComputerBrowserServiceStartupMode](policy-csp-systemservices.md#configurecomputerbrowserservicestartupmode)
- [ConfigureIISAdminServiceStartupMode](policy-csp-systemservices.md#configureiisadminservicestartupmode)
- [ConfigureInfraredMonitorServiceStartupMode](policy-csp-systemservices.md#configureinfraredmonitorservicestartupmode)
- [ConfigureInternetConnectionSharingServiceStartupMode](policy-csp-systemservices.md#configureinternetconnectionsharingservicestartupmode)
- [ConfigureLxssManagerServiceStartupMode](policy-csp-systemservices.md#configurelxssmanagerservicestartupmode)
- [ConfigureMicrosoftFTPServiceStartupMode](policy-csp-systemservices.md#configuremicrosoftftpservicestartupmode)
- [ConfigureRemoteProcedureCallLocatorServiceStartupMode](policy-csp-systemservices.md#configureremoteprocedurecalllocatorservicestartupmode)
- [ConfigureRoutingAndRemoteAccessServiceStartupMode](policy-csp-systemservices.md#configureroutingandremoteaccessservicestartupmode)
- [ConfigureSimpleTCPIPServicesStartupMode](policy-csp-systemservices.md#configuresimpletcpipservicesstartupmode)
- [ConfigureSpecialAdministrationConsoleHelperServiceStartupMode](policy-csp-systemservices.md#configurespecialadministrationconsolehelperservicestartupmode)
- [ConfigureSSDPDiscoveryServiceStartupMode](policy-csp-systemservices.md#configuressdpdiscoveryservicestartupmode)
- [ConfigureUPnPDeviceHostServiceStartupMode](policy-csp-systemservices.md#configureupnpdevicehostservicestartupmode)
- [ConfigureWebManagementServiceStartupMode](policy-csp-systemservices.md#configurewebmanagementservicestartupmode)
- [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode](policy-csp-systemservices.md#configurewindowsmediaplayernetworksharingservicestartupmode)
- [ConfigureWindowsMobileHotspotServiceStartupMode](policy-csp-systemservices.md#configurewindowsmobilehotspotservicestartupmode)
- [ConfigureWorldWideWebPublishingServiceStartupMode](policy-csp-systemservices.md#configureworldwidewebpublishingservicestartupmode)
## Update
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md#configuredeadlinenoautorebootforqualityupdates)
- [AlwaysAutoRebootAtScheduledTimeMinutes](policy-csp-update.md#alwaysautorebootatscheduledtimeminutes)
## UserRights
- [BypassTraverseChecking](policy-csp-userrights.md#bypasstraversechecking)
- [ReplaceProcessLevelToken](policy-csp-userrights.md#replaceprocessleveltoken)
- [ChangeTimeZone](policy-csp-userrights.md#changetimezone)
- [ShutDownTheSystem](policy-csp-userrights.md#shutdownthesystem)
- [LogOnAsBatchJob](policy-csp-userrights.md#logonasbatchjob)
- [ProfileSystemPerformance](policy-csp-userrights.md#profilesystemperformance)
- [DenyLogOnAsBatchJob](policy-csp-userrights.md#denylogonasbatchjob)
- [LogOnAsService](policy-csp-userrights.md#logonasservice)
- [IncreaseProcessWorkingSet](policy-csp-userrights.md#increaseprocessworkingset)
- [DenyLogOnAsService](policy-csp-userrights.md#denylogonasservice)
- [AdjustMemoryQuotasForProcess](policy-csp-userrights.md#adjustmemoryquotasforprocess)
- [AllowLogOnThroughRemoteDesktop](policy-csp-userrights.md#allowlogonthroughremotedesktop)
## WebThreatDefense
- [AutomaticDataCollection](policy-csp-webthreatdefense.md#automaticdatacollection)
## Wifi
@ -281,7 +123,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI
- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
@ -294,11 +136,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DisableSubscription](windowslicensing-csp.md#subscriptionsdisablesubscription)
- [RemoveSubscription](windowslicensing-csp.md#subscriptionsremovesubscription)
## WindowsSandbox
- [AllowMappedFolders](policy-csp-windowssandbox.md#allowmappedfolders)
- [AllowWriteToMappedFolders](policy-csp-windowssandbox.md#allowwritetomappedfolders)
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1,7 +1,7 @@
---
title: Policy CSP
description: Learn more about the Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1152,6 +1152,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [Settings](policy-csp-settings.md)
- [SettingsSync](policy-csp-settingssync.md)
- [SmartScreen](policy-csp-smartscreen.md)
- [SpeakForMe](policy-csp-speakforme.md)
- [Speech](policy-csp-speech.md)
- [Start](policy-csp-start.md)
- [Stickers](policy-csp-stickers.md)

8
windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_AppxPackageManager Policy CSP
description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 08/06/2024
<!-- AllowDeploymentInSpecialProfiles-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
This policy setting allows you to manage the deployment of packaged Microsoft Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies.
@ -42,9 +42,9 @@ Temporary user profiles, which are created when an error prevents the correct pr
User profiles for the Guest account and members of the Guests group.
- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile.
- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of packaged Microsoft Store apps when using a special profile.
- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of packaged Microsoft Store apps when using a special profile.
<!-- AllowDeploymentInSpecialProfiles-Description-End -->
<!-- AllowDeploymentInSpecialProfiles-Editable-Begin -->

24
windows/client-management/mdm/policy-csp-admx-appxruntime.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_AppXRuntime Policy CSP
description: Learn more about the ADMX_AppXRuntime Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,11 +32,11 @@ ms.date: 08/06/2024
<!-- AppxRuntimeApplicationContentUriRules-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer.
- If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
- If you enable this policy setting, you can define additional Content URI Rules that all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer can use.
- If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
- If you disable or don't set this policy setting, packaged Microsoft Store apps will only use the static Content URI Rules.
<!-- AppxRuntimeApplicationContentUriRules-Description-End -->
<!-- AppxRuntimeApplicationContentUriRules-Editable-Begin -->
@ -60,7 +60,7 @@ This policy setting lets you turn on Content URI Rules to supplement the static
| Name | Value |
|:--|:--|
| Name | AppxRuntimeApplicationContentUriRules |
| Friendly Name | Turn on dynamic Content URI Rules for Windows store apps |
| Friendly Name | Turn on dynamic Content URI Rules for packaged Microsoft Store apps |
| Location | Computer Configuration |
| Path | Windows Components > App runtime |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications |
@ -95,11 +95,11 @@ This policy setting lets you turn on Content URI Rules to supplement the static
<!-- AppxRuntimeBlockFileElevation-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
This policy setting lets you control whether packaged Microsoft Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a packaged Microsoft Store app might compromise the system by opening a file in the default desktop app for a file type.
- If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
- If you enable this policy setting, packaged Microsoft Store apps can't open files in the default desktop app for a file type; they can open files only in other packaged Microsoft Store apps.
- If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open files in the default desktop app for a file type.
<!-- AppxRuntimeBlockFileElevation-Description-End -->
<!-- AppxRuntimeBlockFileElevation-Editable-Begin -->
@ -219,14 +219,14 @@ This policy shouldn't be enabled unless recommended by Microsoft as a security r
<!-- AppxRuntimeBlockProtocolElevation-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
This policy setting lets you control whether packaged Microsoft Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a URI scheme launched by a packaged Microsoft Store app might compromise the system by launching a desktop app.
- If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
- If you enable this policy setting, packaged Microsoft Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other packaged Microsoft Store apps.
- If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.
- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open URIs in the default desktop app for a URI scheme.
> [!NOTE]
> Enabling this policy setting doesn't block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
> Enabling this policy setting doesn't block packaged Microsoft Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
<!-- AppxRuntimeBlockProtocolElevation-Description-End -->
<!-- AppxRuntimeBlockProtocolElevation-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_ControlPanelDisplay Policy CSP
description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1351,7 +1351,7 @@ Specifies which theme file is applied to the computer the first time a user logs
|:--|:--|
| Name | CPL_Personalization_SetTheme |
| Friendly Name | Load a specific theme |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Control Panel > Personalization |
| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization |
| ADMX File Name | ControlPanelDisplay.admx |

8
windows/client-management/mdm/policy-csp-admx-deviceguard.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DeviceGuard Policy CSP
description: Learn more about the ADMX_DeviceGuard Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -14,7 +14,7 @@ ms.date: 08/06/2024
<!-- ADMX_DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!WARNING]
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
> Group Policy-based deployment of App Control for Business policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
<!-- ADMX_DeviceGuard-Editable-End -->
<!-- ConfigCIPolicy-Begin -->
@ -34,7 +34,7 @@ ms.date: 08/06/2024
<!-- ConfigCIPolicy-Description-Begin -->
<!-- Description-Source-ADMX -->
Deploy Windows Defender Application Control.
Deploy App Control for Business.
This policy setting lets you deploy a Code Integrity Policy to a machine to control what's allowed to run on that machine.
@ -69,7 +69,7 @@ If using a signed and protected policy then disabling this policy setting doesn'
| Name | Value |
|:--|:--|
| Name | ConfigCIPolicy |
| Friendly Name | Deploy Windows Defender Application Control |
| Friendly Name | Deploy App Control for Business |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |

96
windows/client-management/mdm/policy-csp-admx-dnsclient.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DnsClient Policy CSP
description: Learn more about the ADMX_DnsClient Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -91,7 +91,7 @@ Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualifie
<!-- DNS_AppendToMultiLabelName-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
Specifies that the DNS client may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com" is an example of a fully qualified name because it contains a terminating dot.
@ -103,7 +103,7 @@ If attaching suffixes is allowed, and a DNS client with a primary domain suffix
- If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
- If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
- If you don't configure this policy setting, the DNS client will use its local settings to determine the query behavior for unqualified multi-label names.
<!-- DNS_AppendToMultiLabelName-Description-End -->
<!-- DNS_AppendToMultiLabelName-Editable-Begin -->
@ -162,9 +162,9 @@ Specifies a connection-specific DNS suffix. This policy setting supersedes local
To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by the DNS client.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied connection specific DNS suffix, if configured.
<!-- DNS_Domain-Description-End -->
<!-- DNS_Domain-Editable-Begin -->
@ -234,7 +234,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
@ -295,11 +295,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
<!-- DNS_IdnEncoding-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
- If this policy setting is enabled, IDNs aren't converted to Punycode.
- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
<!-- DNS_IdnEncoding-Description-End -->
<!-- DNS_IdnEncoding-Editable-Begin -->
@ -413,13 +413,13 @@ Specifies whether the DNS client should convert internationalized domain names (
<!-- DNS_NameServer-Description-Begin -->
<!-- Description-Source-ADMX -->
Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
Defines the DNS servers to which the DNS client sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
- If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the list of DNS servers is applied to all network connections used by the DNS client.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied list of DNS servers, if configured.
<!-- DNS_NameServer-Description-End -->
<!-- DNS_NameServer-Editable-Begin -->
@ -535,18 +535,18 @@ Specifies that responses from link local name resolution protocols received over
<!-- DNS_PrimaryDnsSuffix-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
Specifies the primary DNS suffix used by the DNS client in DNS name registration and DNS name resolution.
To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
> [!IMPORTANT]
> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
> In order for changes to this policy setting to be applied on the DNS client, you must restart Windows.
- If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
- If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client uses the local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
<!-- DNS_PrimaryDnsSuffix-Description-End -->
<!-- DNS_PrimaryDnsSuffix-Editable-Begin -->
@ -600,18 +600,18 @@ You can use this policy setting to prevent users, including local administrators
<!-- DNS_RegisterAdapterName-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
- If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
> [!IMPORTANT]
> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
> This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.
- If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client won't register any A and PTR resource records using a connection-specific DNS suffix.
<!-- DNS_RegisterAdapterName-Description-End -->
<!-- DNS_RegisterAdapterName-Editable-Begin -->
@ -666,7 +666,7 @@ For example, with a computer name of mycomputer, a primary DNS suffix of microso
<!-- DNS_RegisterReverseLookup-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if DNS client computers will register PTR resource records.
Specifies if the DNS client will register PTR resource records.
By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
@ -674,13 +674,13 @@ By default, DNS clients configured to perform dynamic DNS registration will atte
To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
Don't register: Computers won't attempt to register PTR resource records.
Don't register: the DNS client won't attempt to register PTR resource records.
Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
Register: the DNS client will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
Register only if A record registration succeeds: the DNS client will attempt to register PTR resource records only if registration of the corresponding A records was successful.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use locally configured settings.
<!-- DNS_RegisterReverseLookup-Description-End -->
<!-- DNS_RegisterReverseLookup-Editable-Begin -->
@ -734,11 +734,11 @@ Register only if A record registration succeeds: Computers will attempt to regis
<!-- DNS_RegistrationEnabled-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
Specifies if DNS dynamic update is enabled. DNS clients configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
- If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
- If you enable this policy setting, or you don't configure this policy setting, the DNS client will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
- If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
- If you disable this policy setting, the DNS client may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
<!-- DNS_RegistrationEnabled-Description-End -->
<!-- DNS_RegistrationEnabled-Editable-Begin -->
@ -795,7 +795,7 @@ Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic
<!-- Description-Source-ADMX -->
Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers.
This policy setting is designed for DNS clients that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other DNS clients.
During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
@ -856,18 +856,18 @@ During dynamic update of resource records in a zone that doesn't use Secure Dyna
<!-- DNS_RegistrationRefreshInterval-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies DNS clients performing dynamic DNS updates.
Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
DNS clients configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
> [!WARNING]
> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by DNS clients that receive this policy setting.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied setting. By default, DNS clients configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
<!-- DNS_RegistrationRefreshInterval-Description-End -->
<!-- DNS_RegistrationRefreshInterval-Editable-Begin -->
@ -921,13 +921,13 @@ To specify the registration refresh interval, click Enabled and then enter a val
<!-- DNS_RegistrationTtl-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by the DNS client to which this policy setting is applied.
To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by the DNS client.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
<!-- DNS_RegistrationTtl-Description-End -->
<!-- DNS_RegistrationTtl-Editable-Begin -->
@ -985,7 +985,7 @@ Specifies the DNS suffixes to attach to an unqualified single-label name before
An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com".
Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
DNS clients that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
@ -1170,15 +1170,15 @@ Specifies the security level for dynamic DNS updates.
To use this policy setting, click Enabled and then select one of the following values:
Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
Unsecure followed by secure - the DNS client sends secure dynamic updates only when nonsecure dynamic updates are refused.
Only unsecure - computers send only nonsecure dynamic updates.
Only unsecure - the DNS client sends only nonsecure dynamic updates.
Only secure - computers send only secure dynamic updates.
Only secure - The DNS client sends only secure dynamic updates.
- If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
- If you enable this policy setting, DNS clients that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
- If you disable this policy setting, or if you don't configure this policy setting, DNS clients will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
<!-- DNS_UpdateSecurityLevel-Description-End -->
<!-- DNS_UpdateSecurityLevel-Editable-Begin -->
@ -1232,13 +1232,13 @@ Only secure - computers send only secure dynamic updates.
<!-- DNS_UpdateTopLevelDomainZones-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
Specifies if the DNS client may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
By default, a DNS client that's configured to perform dynamic DNS update will update the DNS zone that's authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
- If you enable this policy setting, computers send dynamic updates to any zone that's authoritative for the resource records that the computer needs to update, except the root zone.
- If you enable this policy setting, the DNS client sends dynamic updates to any zone that's authoritative for the resource records that the DNS client needs to update, except the root zone.
- If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client doesn't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the DNS client needs to update.
<!-- DNS_UpdateTopLevelDomainZones-Description-End -->
<!-- DNS_UpdateTopLevelDomainZones-Editable-Begin -->
@ -1309,7 +1309,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
@ -1370,11 +1370,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
<!-- Turn_Off_Multicast-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
Specifies that link local multicast name resolution (LLMNR) is disabled on the DNS client.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a DNS client to another DNS client on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the DNS client.
- If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters.
<!-- Turn_Off_Multicast-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-filesys.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_FileSys Policy CSP
description: Learn more about the ADMX_FileSys Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -260,7 +260,7 @@ Encrypting the page file prevents malicious users from reading data that has bee
<!-- LongPathsEnabled-Description-Begin -->
<!-- Description-Source-ADMX -->
Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
Enabling Win32 long paths will allow manifested win32 applications and packaged Microsoft Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
<!-- LongPathsEnabled-Description-End -->
<!-- LongPathsEnabled-Editable-Begin -->

30
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_MicrosoftDefenderAntivirus Policy CSP
description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1523,11 +1523,13 @@ This policy setting defines the number of days items should be kept in the Quara
<!-- RandomizeScheduleTaskTimes-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours.
This policy setting allows you to configure the randomization of the scheduled scan start time and the scheduled definition update start time.
- If you disable or don't configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
- If you enable or don't configure this policy setting, and didn't set a randomization window in the Configure scheduled task time randomization window setting , then randomization will be added between 0-4 hours.
- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours.
- If you enable or don't configure this policy setting, and set a randomization window in the Configure scheduled task time randomization window setting, the configured randomization window will be used.
- If you disable this policy setting, but configured the scheduled task time randomization window, randomization won't be done.
<!-- RandomizeScheduleTaskTimes-Description-End -->
<!-- RandomizeScheduleTaskTimes-Editable-Begin -->
@ -3528,11 +3530,11 @@ This policy setting allows you to configure scanning mapped network drives.
<!-- Scan_DisableScanningNetworkFiles-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure scanning for network files. It's recommended that you don't enable this setting.
This policy setting allows the scanning of network files using on access protection. The default is enabled. Recommended to remain enabled in most cases.
- If you enable this setting, network files will be scanned.
- If you enable or don't configure this setting, network files will be scanned.
- If you disable or don't configure this setting, network files won't be scanned.
- If you disable this setting, network files won't be scanned.
<!-- Scan_DisableScanningNetworkFiles-Description-End -->
<!-- Scan_DisableScanningNetworkFiles-Editable-Begin -->
@ -3556,7 +3558,7 @@ This policy setting allows you to configure scanning for network files. It's rec
| Name | Value |
|:--|:--|
| Name | Scan_DisableScanningNetworkFiles |
| Friendly Name | Scan network files |
| Friendly Name | Configure scanning of network files |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@ -5436,12 +5438,7 @@ Valid remediation action values are:
<!-- UX_Configuration_CustomDefaultActionToastString-OmaUri-End -->
<!-- UX_Configuration_CustomDefaultActionToastString-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
- If you enable this setting, the additional text specified will be displayed.
- If you disable or don't configure this setting, there will be no additional text displayed.
<!-- Description-Source-Not-Found -->
<!-- UX_Configuration_CustomDefaultActionToastString-Description-End -->
<!-- UX_Configuration_CustomDefaultActionToastString-Editable-Begin -->
@ -5458,6 +5455,7 @@ This policy setting allows you to configure whether or not to display additional
<!-- UX_Configuration_CustomDefaultActionToastString-DFProperties-End -->
<!-- UX_Configuration_CustomDefaultActionToastString-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -5465,10 +5463,6 @@ This policy setting allows you to configure whether or not to display additional
| Name | Value |
|:--|:--|
| Name | UX_Configuration_CustomDefaultActionToastString |
| Friendly Name | Display additional text to clients when they need to perform an action |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Client Interface |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration |
| ADMX File Name | WindowsDefender.admx |
<!-- UX_Configuration_CustomDefaultActionToastString-AdmxBacked-End -->

4
windows/client-management/mdm/policy-csp-admx-netlogon.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Netlogon Policy CSP
description: Learn more about the ADMX_Netlogon Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -420,6 +420,8 @@ Note that this policy setting doesn't affect NetBIOS-based discovery for DC loca
- If you enable or don't configure this policy setting, the DC location algorithm doesn't use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
- If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
This setting has no effect unless the BlockNetbiosDiscovery setting is disabled. NetBIOS-based discovery is considered unsecure, has many limitations, and will be deprecated in a future release. For these reasons, NetBIOS-based discovery isn't recommended. See <https://aka.ms/dclocatornetbiosdeprecation> for more information.
<!-- Netlogon_AvoidFallbackNetbiosDiscovery-Description-End -->
<!-- Netlogon_AvoidFallbackNetbiosDiscovery-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-printing.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Printing Policy CSP
description: Learn more about the ADMX_Printing Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -749,7 +749,7 @@ This preference allows you to change default printer management.
<!-- MXDWUseLegacyOutputFormatMSXPS-Description-Begin -->
<!-- Description-Source-ADMX -->
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2022.
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2025.
- If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps).

4
windows/client-management/mdm/policy-csp-admx-startmenu.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_StartMenu Policy CSP
description: Learn more about the ADMX_StartMenu Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -997,7 +997,7 @@ This policy setting allows you to prevent users from changing their Start screen
|:--|:--|
| Name | NoChangeStartMenu |
| Friendly Name | Prevent users from customizing their Start Screen |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Registry Value Name | NoChangeStartMenu |

12
windows/client-management/mdm/policy-csp-admx-taskbar.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Taskbar Policy CSP
description: Learn more about the ADMX_Taskbar Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -69,7 +69,7 @@ A reboot is required for this policy setting to take effect.
|:--|:--|
| Name | DisableNotificationCenter |
| Friendly Name | Remove Notifications and Action Center |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | DisableNotificationCenter |
@ -748,11 +748,11 @@ This policy setting allows you to turn off automatic promotion of notification i
<!-- ShowWindowsStoreAppsOnTaskbar-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows users to see Windows Store apps on the taskbar.
This policy setting allows users to see packaged Microsoft Store apps on the taskbar.
- If you enable this policy setting, users will see Windows Store apps on the taskbar.
- If you enable this policy setting, users will see packaged Microsoft Store apps on the taskbar.
- If you disable this policy setting, users won't see Windows Store apps on the taskbar.
- If you disable this policy setting, users won't see packaged Microsoft Store apps on the taskbar.
- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it.
<!-- ShowWindowsStoreAppsOnTaskbar-Description-End -->
@ -778,7 +778,7 @@ This policy setting allows users to see Windows Store apps on the taskbar.
| Name | Value |
|:--|:--|
| Name | ShowWindowsStoreAppsOnTaskbar |
| Friendly Name | Show Windows Store apps on the taskbar |
| Friendly Name | Show packaged Microsoft Store apps on the taskbar |
| Location | User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |

4
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_TerminalServer Policy CSP
description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -3585,7 +3585,7 @@ This policy setting allows you to specify which protocols can be used for Remote
- If you enable this policy setting, you must specify if you would like RDP to use UDP.
You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)".
You can select one of the following options: "Use either UDP or TCP (default)" or "Use only TCP".
If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP.

11
windows/client-management/mdm/policy-csp-admx-thumbnails.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Thumbnails Policy CSP
description: Learn more about the ADMX_Thumbnails Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -95,11 +95,14 @@ File Explorer displays thumbnail images by default.
<!-- Description-Source-ADMX -->
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.
File Explorer displays thumbnail images on network folders by default.
File Explorer displays only icons and never displays thumbnail images on network folders by default.
- If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
- If you disable this policy setting, File Explorer displays thumbnail images on network folders.
- If you disable or don't configure this policy setting, File Explorer displays only thumbnail images on network folders.
- If you enable or don't configure this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
> [!NOTE]
> Allowing the use of thumbnail images from network folders can expose the users' computers to security risks.
<!-- DisableThumbnailsOnNetworkFolders-Description-End -->
<!-- DisableThumbnailsOnNetworkFolders-Editable-Begin -->

18
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_WindowsExplorer Policy CSP
description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -472,7 +472,15 @@ You can specify a known folder using its known folder id or using its canonical
<!-- DisableMotWOnInsecurePathCopy-OmaUri-End -->
<!-- DisableMotWOnInsecurePathCopy-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting determines the application of the Mark of the Web tag to files sourced from insecure locations.
- If you enable this policy setting, files copied from unsecure sources won't be tagged with the Mark of the Web.
- If you disable or don't configure this policy setting, files copied from unsecure sources will be tagged with the appropriate Mark of the Web.
> [!NOTE]
> Failure to tag files from unsecure sources with the Mark of the Web can expose users' computers to security risks.
<!-- DisableMotWOnInsecurePathCopy-Description-End -->
<!-- DisableMotWOnInsecurePathCopy-Editable-Begin -->
@ -489,7 +497,6 @@ You can specify a known folder using its known folder id or using its canonical
<!-- DisableMotWOnInsecurePathCopy-DFProperties-End -->
<!-- DisableMotWOnInsecurePathCopy-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -497,6 +504,11 @@ You can specify a known folder using its known folder id or using its canonical
| Name | Value |
|:--|:--|
| Name | DisableMotWOnInsecurePathCopy |
| Friendly Name | Do not apply the Mark of the Web tag to files copied from insecure sources |
| Location | Computer Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | DisableMotWOnInsecurePathCopy |
| ADMX File Name | WindowsExplorer.admx |
<!-- DisableMotWOnInsecurePathCopy-AdmxBacked-End -->

4
windows/client-management/mdm/policy-csp-admx-wpn.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_WPN Policy CSP
description: Learn more about the ADMX_WPN Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -254,7 +254,7 @@ No reboots or service restarts are required for this policy setting to take effe
|:--|:--|
| Name | NoToastNotification |
| Friendly Name | Turn off toast notifications |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar > Notifications |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications |
| Registry Value Name | NoToastApplicationNotification |

100
windows/client-management/mdm/policy-csp-appdeviceinventory.md
View File

@ -1,7 +1,7 @@
---
title: AppDeviceInventory Policy CSP
description: Learn more about the AppDeviceInventory Area in Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -33,7 +33,12 @@ ms.date: 08/07/2024
<!-- TurnOffAPISamping-OmaUri-End -->
<!-- TurnOffAPISamping-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the state of API Sampling. API Sampling monitors the sampled collection of application programming interfaces used during system runtime to help diagnose compatibility problems.
- If you enable this policy, API Sampling won't be run.
- If you disable or don't configure this policy, API Sampling will be turned on.
<!-- TurnOffAPISamping-Description-End -->
<!-- TurnOffAPISamping-Editable-Begin -->
@ -50,7 +55,6 @@ ms.date: 08/07/2024
<!-- TurnOffAPISamping-DFProperties-End -->
<!-- TurnOffAPISamping-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -58,6 +62,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffAPISamping |
| Friendly Name | Turn off API Sampling |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableAPISamping |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffAPISamping-AdmxBacked-End -->
@ -83,7 +92,12 @@ ms.date: 08/07/2024
<!-- TurnOffApplicationFootprint-OmaUri-End -->
<!-- TurnOffApplicationFootprint-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the state of Application Footprint. Application Footprint monitors the sampled collection of registry and file usage to help diagnose compatibility problems.
- If you enable this policy, Application Footprint won't be run.
- If you disable or don't configure this policy, Application Footprint will be turned on.
<!-- TurnOffApplicationFootprint-Description-End -->
<!-- TurnOffApplicationFootprint-Editable-Begin -->
@ -100,7 +114,6 @@ ms.date: 08/07/2024
<!-- TurnOffApplicationFootprint-DFProperties-End -->
<!-- TurnOffApplicationFootprint-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -108,6 +121,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffApplicationFootprint |
| Friendly Name | Turn off Application Footprint |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableApplicationFootprint |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffApplicationFootprint-AdmxBacked-End -->
@ -133,7 +151,12 @@ ms.date: 08/07/2024
<!-- TurnOffInstallTracing-OmaUri-End -->
<!-- TurnOffInstallTracing-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the state of Install Tracing. Install Tracing is a mechanism that tracks application installs to help diagnose compatibility problems.
- If you enable this policy, Install Tracing won't be run.
- If you disable or don't configure this policy, Install Tracing will be turned on.
<!-- TurnOffInstallTracing-Description-End -->
<!-- TurnOffInstallTracing-Editable-Begin -->
@ -150,7 +173,6 @@ ms.date: 08/07/2024
<!-- TurnOffInstallTracing-DFProperties-End -->
<!-- TurnOffInstallTracing-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -158,6 +180,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffInstallTracing |
| Friendly Name | Turn off Install Tracing |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableInstallTracing |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffInstallTracing-AdmxBacked-End -->
@ -167,6 +194,65 @@ ms.date: 08/07/2024
<!-- TurnOffInstallTracing-End -->
<!-- TurnOffWin32AppBackup-Begin -->
## TurnOffWin32AppBackup
<!-- TurnOffWin32AppBackup-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- TurnOffWin32AppBackup-Applicability-End -->
<!-- TurnOffWin32AppBackup-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/AppDeviceInventory/TurnOffWin32AppBackup
```
<!-- TurnOffWin32AppBackup-OmaUri-End -->
<!-- TurnOffWin32AppBackup-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the state of the compatibility scan for backed up applications. The compatibility scan for backed up applications evaluates for compatibility problems in installed applications.
- If you enable this policy, the compatibility scan for backed up applications won't be run.
- If you disable or don't configure this policy, the compatibility scan for backed up applications will be run.
<!-- TurnOffWin32AppBackup-Description-End -->
<!-- TurnOffWin32AppBackup-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TurnOffWin32AppBackup-Editable-End -->
<!-- TurnOffWin32AppBackup-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- TurnOffWin32AppBackup-DFProperties-End -->
<!-- TurnOffWin32AppBackup-AdmxBacked-Begin -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | TurnOffWin32AppBackup |
| Friendly Name | Turn off compatibility scan for backed up applications |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableWin32AppBackup |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffWin32AppBackup-AdmxBacked-End -->
<!-- TurnOffWin32AppBackup-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TurnOffWin32AppBackup-Examples-End -->
<!-- TurnOffWin32AppBackup-End -->
<!-- AppDeviceInventory-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- AppDeviceInventory-CspMoreInfo-End -->

10
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -30,11 +30,11 @@ ms.date: 04/10/2024
<!-- AllowAllTrustedApps-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.
This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed packaged Microsoft Store apps.
- If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
- If you enable this policy setting, you can install any LOB or developer-signed packaged Microsoft Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
- If you disable or don't configure this policy setting, you can't install LOB or developer-signed Windows Store apps.
- If you disable or don't configure this policy setting, you can't install LOB or developer-signed packaged Microsoft Store apps.
<!-- AllowAllTrustedApps-Description-End -->
<!-- AllowAllTrustedApps-Editable-Begin -->
@ -269,7 +269,7 @@ Allows or denies development of Microsoft Store applications and installing them
| Name | Value |
|:--|:--|
| Name | AllowDevelopmentWithoutDevLicense |
| Friendly Name | Allows development of Windows Store apps and installing them from an integrated development environment (IDE) |
| Friendly Name | Allows development of packaged Microsoft Store apps and installing them from an integrated development environment (IDE) |
| Location | Computer Configuration |
| Path | Windows Components > App Package Deployment |
| Registry Key Name | Software\Policies\Microsoft\Windows\Appx |

6
windows/client-management/mdm/policy-csp-appruntime.md
View File

@ -1,7 +1,7 @@
---
title: AppRuntime Policy CSP
description: Learn more about the AppRuntime Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,9 +32,9 @@ ms.date: 01/18/2024
<!-- AllowMicrosoftAccountsToBeOptional-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
This policy setting lets you control whether Microsoft accounts are optional for packaged Microsoft Store apps that require an account to sign in. This policy only affects packaged Microsoft Store apps that support it.
- If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
- If you enable this policy setting, packaged Microsoft Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
- If you disable or don't configure this policy setting, users will need to sign in with a Microsoft account.
<!-- AllowMicrosoftAccountsToBeOptional-Description-End -->

5
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -1,7 +1,7 @@
---
title: AppVirtualization Policy CSP
description: Learn more about the AppVirtualization Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -33,6 +33,9 @@ ms.date: 01/18/2024
<!-- AllowAppVClient-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
> [!NOTE]
> Application Virtualization (App-V) will reach end-of-life April 2026. After that time, the App-V client will be excluded from new versions of the Windows operating system. See aka.ms/AppVDeprecation for more information.
<!-- AllowAppVClient-Description-End -->
<!-- AllowAppVClient-Editable-Begin -->

16
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -1,7 +1,7 @@
---
title: Cryptography Policy CSP
description: Learn more about the Cryptography Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- Cryptography-Begin -->
# Policy CSP - Cryptography
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Cryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Cryptography-Editable-End -->
@ -79,7 +77,7 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<!-- ConfigureEllipticCurveCryptography-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureEllipticCurveCryptography-Applicability-End -->
<!-- ConfigureEllipticCurveCryptography-OmaUri-Begin -->
@ -146,7 +144,7 @@ CertUtil.exe -DisplayEccCurve.
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-Begin -->
@ -196,7 +194,7 @@ System cryptography: Force strong key protection for user keys stored on the com
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-Begin -->
@ -235,7 +233,7 @@ Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-Begin -->
@ -274,7 +272,7 @@ Override minimal enabled TLS version for server role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-Begin -->
@ -313,7 +311,7 @@ Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-defender.md
View File

@ -1,7 +1,7 @@
---
title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -745,7 +745,7 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
| Name | Value |
|:--|:--|
| Name | Scan_DisableScanningNetworkFiles |
| Friendly Name | Scan network files |
| Friendly Name | Configure scanning of network files |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |

74
windows/client-management/mdm/policy-csp-desktopappinstaller.md
View File

@ -1,7 +1,7 @@
---
title: DesktopAppInstaller Policy CSP
description: Learn more about the DesktopAppInstaller Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- DesktopAppInstaller-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DesktopAppInstaller-Editable-End -->
@ -215,7 +213,14 @@ Users will still be able to execute the *winget* command. The default help will
<!-- EnableBypassCertificatePinningForMicrosoftStore-OmaUri-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls whether the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate hash matches to a known Microsoft Store certificate when initiating a connection to the Microsoft Store Source.
- If you enable this policy, the [Windows Package Manager](/windows/package-manager/) will bypass the Microsoft Store certificate validation.
- If you disable this policy, the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate used is valid and belongs to the Microsoft Store before communicating with the Microsoft Store source.
- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
<!-- EnableBypassCertificatePinningForMicrosoftStore-Description-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Editable-Begin -->
@ -232,7 +237,6 @@ Users will still be able to execute the *winget* command. The default help will
<!-- EnableBypassCertificatePinningForMicrosoftStore-DFProperties-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -240,6 +244,11 @@ Users will still be able to execute the *winget* command. The default help will
| Name | Value |
|:--|:--|
| Name | EnableBypassCertificatePinningForMicrosoftStore |
| Friendly Name | Enable App Installer Microsoft Store Source Certificate Validation Bypass |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableBypassCertificatePinningForMicrosoftStore |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-End -->
@ -445,7 +454,14 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
<!-- EnableLocalArchiveMalwareScanOverride-OmaUri-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the ability to override malware vulnerability scans when installing an archive file using a local manifest using the command line arguments.
- If you enable this policy, users can override the malware scan when performing a local manifest install of an archive file.
- If you disable this policy, users will be unable to override the malware scan of an archive file when installing using a local manifest.
- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
<!-- EnableLocalArchiveMalwareScanOverride-Description-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Editable-Begin -->
@ -462,7 +478,6 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
<!-- EnableLocalArchiveMalwareScanOverride-DFProperties-End -->
<!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -470,6 +485,11 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
| Name | Value |
|:--|:--|
| Name | EnableLocalArchiveMalwareScanOverride |
| Friendly Name | Enable App Installer Local Archive Malware Scan Override |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableLocalArchiveMalwareScanOverride |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-End -->
@ -618,9 +638,9 @@ This policy controls the Microsoft Store source included with the [Windows Packa
<!-- Description-Source-ADMX -->
This policy controls whether users can install packages from a website that's using the ms-appinstaller protocol.
- If you enable or don't configure this setting, users will be able to install packages from websites that use this protocol.
- If you enable this setting, users will be able to install packages from websites that use this protocol.
- If you disable this setting, users won't be able to install packages from websites that use this protocol.
- If you disable or don't configure this setting, users won't be able to install packages from websites that use this protocol.
<!-- EnableMSAppInstallerProtocol-Description-End -->
<!-- EnableMSAppInstallerProtocol-Editable-Begin -->
@ -724,7 +744,7 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-Begin -->
@ -734,7 +754,14 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy determines if a user can perform an action using the [Windows Package Manager](/windows/package-manager/) through a command line interface (WinGet CLI, or WinGet PowerShell).
If you disable this policy, users won't be able execute the [Windows Package Manager](/windows/package-manager/) CLI, and PowerShell cmdlets.
If you enable, or don't configuring this policy, users will be able to execute the [Windows Package Manager](/windows/package-manager/) CLI commands, and PowerShell cmdlets. (Provided "Enable App Installer" policy isn't disabled).
This policy doesn't override the "Enable App Installer" policy.
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-Begin -->
@ -751,7 +778,6 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -759,6 +785,11 @@ The settings are stored inside of a .json file on the users system. It may be
| Name | Value |
|:--|:--|
| Name | EnableWindowsPackageManagerCommandLineInterfaces |
| Friendly Name | Enable Windows Package Manager command line interfaces |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableWindowsPackageManagerCommandLineInterfaces |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-End -->
@ -774,7 +805,7 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableWindowsPackageManagerConfiguration-Applicability-End -->
<!-- EnableWindowsPackageManagerConfiguration-OmaUri-Begin -->
@ -784,7 +815,12 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerConfiguration-OmaUri-End -->
<!-- EnableWindowsPackageManagerConfiguration-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls whether the [Windows Package Manager](/windows/package-manager/) configuration feature can be used by users.
- If you enable or don't configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
- If you disable this setting, users won't be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
<!-- EnableWindowsPackageManagerConfiguration-Description-End -->
<!-- EnableWindowsPackageManagerConfiguration-Editable-Begin -->
@ -801,7 +837,6 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerConfiguration-DFProperties-End -->
<!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -809,6 +844,11 @@ The settings are stored inside of a .json file on the users system. It may be
| Name | Value |
|:--|:--|
| Name | EnableWindowsPackageManagerConfiguration |
| Friendly Name | Enable Windows Package Manager Configuration |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableWindowsPackageManagerConfiguration |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-End -->
@ -835,9 +875,9 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- SourceAutoUpdateInterval-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the auto update interval for package-based sources.
This policy controls the auto-update interval for package-based sources. The default source for [Windows Package Manager](/windows/package-manager/) is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed.
- If you disable or don't configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/).
- If you disable or don't configure this setting, the default interval or the value specified in the [Windows Package Manager](/windows/package-manager/) settings will be used.
- If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/).
<!-- SourceAutoUpdateInterval-Description-End -->

22
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -1,7 +1,7 @@
---
title: DeviceLock Policy CSP
description: Learn more about the DeviceLock Area in Policy CSP.
ms.date: 08/05/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 08/05/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- DeviceLock-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
@ -25,7 +23,7 @@ ms.date: 08/05/2024
<!-- AccountLockoutPolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AccountLockoutPolicy-Applicability-End -->
<!-- AccountLockoutPolicy-OmaUri-Begin -->
@ -64,7 +62,7 @@ Account lockout threshold - This security setting determines the number of faile
<!-- AllowAdministratorLockout-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowAdministratorLockout-Applicability-End -->
<!-- AllowAdministratorLockout-OmaUri-Begin -->
@ -329,7 +327,7 @@ Determines the type of PIN or password required. This policy only applies if the
<!-- ClearTextPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ClearTextPassword-Applicability-End -->
<!-- ClearTextPassword-OmaUri-Begin -->
@ -685,7 +683,7 @@ The number of authentication failures allowed before the device will be wiped. A
<!-- MaximumPasswordAge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MaximumPasswordAge-Applicability-End -->
<!-- MaximumPasswordAge-OmaUri-Begin -->
@ -1025,7 +1023,7 @@ This security setting determines the period of time (in days) that a password mu
<!-- MinimumPasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MinimumPasswordLength-Applicability-End -->
<!-- MinimumPasswordLength-OmaUri-Begin -->
@ -1078,7 +1076,7 @@ This security setting determines the least number of characters that a password
<!-- MinimumPasswordLengthAudit-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MinimumPasswordLengthAudit-Applicability-End -->
<!-- MinimumPasswordLengthAudit-OmaUri-Begin -->
@ -1128,7 +1126,7 @@ This security setting determines the minimum password length for which password
<!-- PasswordComplexity-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- PasswordComplexity-Applicability-End -->
<!-- PasswordComplexity-OmaUri-Begin -->
@ -1188,7 +1186,7 @@ Complexity requirements are enforced when passwords are changed or created.
<!-- PasswordHistorySize-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- PasswordHistorySize-Applicability-End -->
<!-- PasswordHistorySize-OmaUri-Begin -->
@ -1360,7 +1358,7 @@ If you enable this setting, users will no longer be able to modify slide show se
<!-- RelaxMinimumPasswordLengthLimits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- RelaxMinimumPasswordLengthLimits-Applicability-End -->
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-Begin -->

19
windows/client-management/mdm/policy-csp-experience.md
View File

@ -1,7 +1,7 @@
---
title: Experience Policy CSP
description: Learn more about the Experience Area in Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 08/07/2024
<!-- Experience-Begin -->
# Policy CSP - Experience
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Experience-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Experience-Editable-End -->
@ -484,7 +482,7 @@ Allow screen capture.
<!-- AllowScreenRecorder-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowScreenRecorder-Applicability-End -->
<!-- AllowScreenRecorder-OmaUri-Begin -->
@ -494,7 +492,7 @@ Allow screen capture.
<!-- AllowScreenRecorder-OmaUri-End -->
<!-- AllowScreenRecorder-Description-Begin -->
<!-- Description-Source-DDF -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether screen recording functionality is available in the Windows Snipping Tool app.
- If you disable this policy setting, screen recording functionality won't be accessible in the Windows Snipping Tool app.
@ -531,7 +529,12 @@ This policy setting allows you to control whether screen recording functionality
| Name | Value |
|:--|:--|
| Name | AllowScreenRecorder |
| Path | Programs > AT > WindowsComponents > SnippingTool |
| Friendly Name | Allow Screen Recorder |
| Location | User Configuration |
| Path | Windows Components > Snipping Tool |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\SnippingTool |
| Registry Value Name | AllowScreenRecorder |
| ADMX File Name | Programs.admx |
<!-- AllowScreenRecorder-GpMapping-End -->
<!-- AllowScreenRecorder-Examples-Begin -->
@ -1681,7 +1684,7 @@ This policy setting lets you turn off cloud consumer account state content in al
<!-- DisableTextTranslation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableTextTranslation-Applicability-End -->
<!-- DisableTextTranslation-OmaUri-Begin -->
@ -1887,7 +1890,7 @@ _**Turn syncing off by default but dont disable**_
<!-- EnableOrganizationalMessages-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4828] and later <br> ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later <br> ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 with [KB5041582](https://support.microsoft.com/help/5041582) [10.0.19045.4842] and later <br> ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableOrganizationalMessages-Applicability-End -->
<!-- EnableOrganizationalMessages-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-fileexplorer.md
View File

@ -1,7 +1,7 @@
---
title: FileExplorer Policy CSP
description: Learn more about the FileExplorer Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -138,7 +138,7 @@ When This PC location is restricted, give the user the option to enumerate and n
<!-- DisableGraphRecentItems-Description-Begin -->
<!-- Description-Source-ADMX -->
Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, etc.
Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, Details pane, etc.
<!-- DisableGraphRecentItems-Description-End -->
<!-- DisableGraphRecentItems-Editable-Begin -->

12
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -1,7 +1,7 @@
---
title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- HumanPresence-Begin -->
# Policy CSP - HumanPresence
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- HumanPresence-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HumanPresence-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 01/18/2024
<!-- ForceAllowDimWhenExternalDisplayConnected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceAllowDimWhenExternalDisplayConnected-Applicability-End -->
<!-- ForceAllowDimWhenExternalDisplayConnected-OmaUri-Begin -->
@ -85,7 +83,7 @@ Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forc
<!-- ForceAllowLockWhenExternalDisplayConnected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceAllowLockWhenExternalDisplayConnected-Applicability-End -->
<!-- ForceAllowLockWhenExternalDisplayConnected-OmaUri-Begin -->
@ -149,7 +147,7 @@ Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced
<!-- ForceAllowWakeWhenExternalDisplayConnected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceAllowWakeWhenExternalDisplayConnected-Applicability-End -->
<!-- ForceAllowWakeWhenExternalDisplayConnected-OmaUri-Begin -->
@ -213,7 +211,7 @@ Determines whether Allow Wake on Approach When External Display Connected checkb
<!-- ForceDisableWakeWhenBatterySaverOn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceDisableWakeWhenBatterySaverOn-Applicability-End -->
<!-- ForceDisableWakeWhenBatterySaverOn-OmaUri-Begin -->

25
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -1,7 +1,7 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1005,7 +1005,12 @@ Note. It's recommended to configure template policy settings in one Group Policy
<!-- AllowLegacyURLFields-OmaUri-End -->
<!-- AllowLegacyURLFields-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows the use of some disabled functionality, such as WorkingDirectory field or pluggable protocol handling, in Internet Shortcut files.
If you enable this policy, disabled functionality for Internet Shortcut files will be re-enabled.
If you disable, or don't configure this policy, some functionality for Internet Shortcut files, such as WorkingDirectory field or pluggable protocol handling, will be disabled.
<!-- AllowLegacyURLFields-Description-End -->
<!-- AllowLegacyURLFields-Editable-Begin -->
@ -1022,7 +1027,6 @@ Note. It's recommended to configure template policy settings in one Group Policy
<!-- AllowLegacyURLFields-DFProperties-End -->
<!-- AllowLegacyURLFields-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -1030,6 +1034,11 @@ Note. It's recommended to configure template policy settings in one Group Policy
| Name | Value |
|:--|:--|
| Name | AllowLegacyURLFields |
| Friendly Name | Allow legacy functionality for Internet Shortcut files |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
| Registry Value Name | AllowLegacyURLFields |
| ADMX File Name | inetres.admx |
<!-- AllowLegacyURLFields-AdmxBacked-End -->
@ -7923,13 +7932,11 @@ This policy setting allows you to manage the opening of windows and frames and a
<!-- JScriptReplacement-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC/MSXML/Cscript based invocations.
This policy setting specifies whether JScript or JScript9Legacy is loaded.
- If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated.
- If you enable this policy setting or not configured, JScript9Legacy will be loaded in situations where JScript is instantiated.
- If you disable this policy, then JScript will be utilized.
- If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSXML/Cscript will use JScript.
<!-- JScriptReplacement-Description-End -->
<!-- JScriptReplacement-Editable-Begin -->
@ -7953,7 +7960,7 @@ This policy setting specifies whether JScript or JScript9Legacy is loaded for MS
| Name | Value |
|:--|:--|
| Name | JScriptReplacement |
| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC. |
| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript. |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
@ -13407,7 +13414,7 @@ If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode
If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.
For more information, see <https://go.microsoft.com/fwlink/?linkid=2102115>
For more information, see <https://go.microsoft.com/fwlink/?linkid=2220107>
<!-- ResetZoomForDialogInIEMode-Description-End -->
<!-- ResetZoomForDialogInIEMode-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-lanmanworkstation.md
View File

@ -1,7 +1,7 @@
---
title: LanmanWorkstation Policy CSP
description: Learn more about the LanmanWorkstation Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -36,6 +36,8 @@ This policy setting determines if the SMB client will allow insecure guest logon
- If you disable this policy setting, the SMB client will reject insecure guest logons.
If you enable signing, the SMB client will reject insecure guest logons.
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access".
<!-- EnableInsecureGuestLogons-Description-End -->

66
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -1,7 +1,7 @@
---
title: LocalPoliciesSecurityOptions Policy CSP
description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -360,7 +360,7 @@ Accounts: Rename guest account This security setting determines whether a differ
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-End -->
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-Begin -->
@ -404,7 +404,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-End -->
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-Begin -->
@ -445,7 +445,7 @@ Audit: Force audit policy subcategory settings (Windows Vista or later) to overr
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-End -->
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-Begin -->
@ -718,7 +718,7 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-End -->
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-Begin -->
@ -771,7 +771,7 @@ Devices: Restrict floppy access to locally logged-on user only This security set
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-End -->
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-Begin -->
@ -825,7 +825,7 @@ Domain member: Digitally encrypt or sign secure channel data (always) This secur
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -878,7 +878,7 @@ Domain member: Digitally encrypt secure channel data (when possible) This securi
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -928,7 +928,7 @@ Domain member: Digitally sign secure channel data (when possible) This security
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-End -->
<!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-Begin -->
@ -982,7 +982,7 @@ Domain member: Disable machine account password changes Determines whether a dom
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-End -->
<!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-Begin -->
@ -1035,7 +1035,7 @@ Domain member: Maximum machine account password age This security setting determ
<!-- DomainMember_RequireStrongSessionKey-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_RequireStrongSessionKey-Applicability-End -->
<!-- DomainMember_RequireStrongSessionKey-OmaUri-Begin -->
@ -1335,7 +1335,7 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-OmaUri-Begin -->
@ -1535,7 +1535,7 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
@ -1575,7 +1575,7 @@ Interactive logon: Number of previous logons to cache (in case domain controller
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-End -->
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-Begin -->
@ -1864,7 +1864,7 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-End -->
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-Begin -->
@ -2047,7 +2047,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-End -->
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-Begin -->
@ -2090,7 +2090,7 @@ Microsoft network server: Disconnect clients when logon hours expire This securi
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-End -->
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-Begin -->
@ -2131,7 +2131,7 @@ Microsoft network server: Server SPN target name validation level This policy se
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Applicability-End -->
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-OmaUri-Begin -->
@ -2312,7 +2312,7 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-End -->
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-Begin -->
@ -2360,7 +2360,7 @@ Network access: Don't allow storage of passwords and credentials for network aut
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-End -->
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-Begin -->
@ -2412,7 +2412,7 @@ Network access: Let Everyone permissions apply to anonymous users This security
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2452,7 +2452,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-Begin -->
@ -2495,7 +2495,7 @@ Network access: Remotely accessible registry paths This security setting determi
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-Begin -->
@ -2644,7 +2644,7 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2684,7 +2684,7 @@ Network access: Shares that can be accessed anonymously This security setting de
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-End -->
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-Begin -->
@ -2728,7 +2728,7 @@ Network access: Sharing and security model for local accounts This security sett
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-End -->
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-Begin -->
@ -2958,7 +2958,7 @@ Network security: Don't store LAN Manager hash value on next password change Thi
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Applicability-End -->
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-OmaUri-Begin -->
@ -3083,7 +3083,7 @@ Network security LAN Manager authentication level This security setting determin
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-End -->
<!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-Begin -->
@ -3489,7 +3489,7 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-End -->
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-Begin -->
@ -3539,7 +3539,7 @@ Recovery console: Allow automatic administrative logon This security setting det
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-End -->
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-Begin -->
@ -3696,7 +3696,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-End -->
<!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-Begin -->
@ -3737,7 +3737,7 @@ System Cryptography: Force strong key protection for user keys stored on the com
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-End -->
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-Begin -->
@ -3787,7 +3787,7 @@ System objects: Require case insensitivity for non-Windows subsystems This secur
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-End -->
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-lsa.md
View File

@ -1,7 +1,7 @@
---
title: LocalSecurityAuthority Policy CSP
description: Learn more about the LocalSecurityAuthority Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -93,7 +93,7 @@ This policy controls the configuration under which LSASS loads custom SSPs and A
<!-- Description-Source-ADMX -->
This policy controls the configuration under which LSASS is run.
- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for all clean installed, HVCI capable, client SKUs. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
- If you configure and set this policy setting to "Disabled", LSA won't run as a protected process.
@ -135,7 +135,7 @@ This policy controls the configuration under which LSASS is run.
| Friendly Name | Configures LSASS to run as a protected process |
| Location | Computer Configuration |
| Path | System > Local Security Authority |
| Registry Key Name | System\CurrentControlSet\Control\Lsa |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| ADMX File Name | LocalSecurityAuthority.admx |
<!-- ConfigureLsaProtectedProcess-GpMapping-End -->

6
windows/client-management/mdm/policy-csp-mssecurityguide.md
View File

@ -1,7 +1,7 @@
---
title: MSSecurityGuide Policy CSP
description: Learn more about the MSSecurityGuide Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 01/31/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- MSSecurityGuide-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MSSecurityGuide-Editable-End -->
@ -223,7 +221,7 @@ ms.date: 01/31/2024
<!-- NetBTNodeTypeConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetBTNodeTypeConfiguration-Applicability-End -->
<!-- NetBTNodeTypeConfiguration-OmaUri-Begin -->

16
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -1,7 +1,7 @@
---
title: NetworkListManager Policy CSP
description: Learn more about the NetworkListManager Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 08/06/2024
<!-- NetworkListManager-Begin -->
# Policy CSP - NetworkListManager
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- NetworkListManager-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NetworkListManager-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 08/06/2024
<!-- AllNetworks_NetworkIcon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllNetworks_NetworkIcon-Applicability-End -->
<!-- AllNetworks_NetworkIcon-OmaUri-Begin -->
@ -70,7 +68,7 @@ This policy setting allows you to specify whether users can change the network i
<!-- AllNetworks_NetworkLocation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllNetworks_NetworkLocation-Applicability-End -->
<!-- AllNetworks_NetworkLocation-OmaUri-Begin -->
@ -119,7 +117,7 @@ This policy setting allows you to specify whether users can change the network l
<!-- AllNetworks_NetworkName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllNetworks_NetworkName-Applicability-End -->
<!-- AllNetworks_NetworkName-OmaUri-Begin -->
@ -262,7 +260,7 @@ This policy setting provides the string that names a network. If this setting is
<!-- IdentifyingNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- IdentifyingNetworks_LocationType-Applicability-End -->
<!-- IdentifyingNetworks_LocationType-OmaUri-Begin -->
@ -311,7 +309,7 @@ This policy setting allows you to configure the Network Location for networks th
<!-- UnidentifiedNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- UnidentifiedNetworks_LocationType-Applicability-End -->
<!-- UnidentifiedNetworks_LocationType-OmaUri-Begin -->
@ -360,7 +358,7 @@ This policy setting allows you to configure the Network Location type for networ
<!-- UnidentifiedNetworks_UserPermissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- UnidentifiedNetworks_UserPermissions-Applicability-End -->
<!-- UnidentifiedNetworks_UserPermissions-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -1,7 +1,7 @@
---
title: Notifications Policy CSP
description: Learn more about the Notifications Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- Notifications-Begin -->
# Policy CSP - Notifications
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Notifications-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Notifications-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 01/18/2024
<!-- DisableAccountNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAccountNotifications-Applicability-End -->
<!-- DisableAccountNotifications-OmaUri-Begin -->

34
windows/client-management/mdm/policy-csp-printers.md
View File

@ -1,7 +1,7 @@
---
title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -369,7 +369,7 @@ Determines whether Redirection Guard is enabled for the print spooler.
You can enable this setting to configure the Redirection Guard policy being applied to spooler.
- If you disable or don't configure this policy setting, Redirection Guard will default to being 'enabled'.
- If you disable or don't configure this policy setting, Redirection Guard will default to being 'Enabled'.
- If you enable this setting you may select the following options:
@ -435,7 +435,12 @@ The following are the supported values:
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-OmaUri-End -->
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting controls whether packet level privacy is enabled for RPC for incoming connections.
By default packet level privacy is enabled for RPC for incoming connections.
If you enable or don't configure this policy setting, packet level privacy is enabled for RPC for incoming connections.
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-Description-End -->
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-Editable-Begin -->
@ -452,7 +457,6 @@ The following are the supported values:
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-DFProperties-End -->
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -460,6 +464,11 @@ The following are the supported values:
| Name | Value |
|:--|:--|
| Name | ConfigureRpcAuthnLevelPrivacyEnabled |
| Friendly Name | Configure RPC packet level privacy setting for incoming connections |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | System\CurrentControlSet\Control\Print |
| Registry Value Name | RpcAuthnLevelPrivacyEnabled |
| ADMX File Name | Printing.admx |
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-AdmxBacked-End -->
@ -685,7 +694,16 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
<!-- ConfigureWindowsProtectedPrint-OmaUri-End -->
<!-- ConfigureWindowsProtectedPrint-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
Determines whether Windows protected print is enabled on this computer.
By default, Windows protected print isn't enabled and there aren't any restrictions on the print drivers that can be installed or print functionality.
- If you enable this setting, the computer will operate in Windows protected print mode which only allows printing to printers that support a subset of inbox Windows print drivers.
- If you disable this setting or don't configure it, there aren't any restrictions on the print drivers that can be installed or print functionality.
For more information, please see [insert link to web page with WPP info]
<!-- ConfigureWindowsProtectedPrint-Description-End -->
<!-- ConfigureWindowsProtectedPrint-Editable-Begin -->
@ -702,7 +720,6 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
<!-- ConfigureWindowsProtectedPrint-DFProperties-End -->
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -710,6 +727,11 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
| Name | Value |
|:--|:--|
| Name | ConfigureWindowsProtectedPrint |
| Friendly Name | Configure Windows protected print |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\WPP |
| Registry Value Name | WindowsProtectedPrintGroupPolicyState |
| ADMX File Name | Printing.admx |
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-End -->

203
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -1,7 +1,7 @@
---
title: Privacy Policy CSP
description: Learn more about the Privacy Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2398,207 +2398,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
<!-- LetAppsAccessGazeInput_UserInControlOfTheseApps-End -->
<!-- LetAppsAccessGenerativeAI-Begin -->
## LetAppsAccessGenerativeAI
<!-- LetAppsAccessGenerativeAI-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI-Applicability-End -->
<!-- LetAppsAccessGenerativeAI-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI
```
<!-- LetAppsAccessGenerativeAI-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting specifies whether Windows apps can use generative AI features of Windows.
<!-- LetAppsAccessGenerativeAI-Description-End -->
<!-- LetAppsAccessGenerativeAI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI-Editable-End -->
<!-- LetAppsAccessGenerativeAI-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-2]` |
| Default Value | 0 |
<!-- LetAppsAccessGenerativeAI-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_Enum |
<!-- LetAppsAccessGenerativeAI-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI-Examples-End -->
<!-- LetAppsAccessGenerativeAI-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Begin -->
## LetAppsAccessGenerativeAI_ForceAllowTheseApps
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Applicability-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceAllowTheseApps
```
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Description-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Editable-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_ForceAllowTheseApps_List |
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Examples-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Begin -->
## LetAppsAccessGenerativeAI_ForceDenyTheseApps
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Applicability-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceDenyTheseApps
```
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Description-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Editable-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_ForceDenyTheseApps_List |
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Examples-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Begin -->
## LetAppsAccessGenerativeAI_UserInControlOfTheseApps
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Applicability-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_UserInControlOfTheseApps
```
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the generative AI setting for the listed apps. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Description-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Editable-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_UserInControlOfTheseApps_List |
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Examples-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-End -->
<!-- LetAppsAccessGraphicsCaptureProgrammatic-Begin -->
## LetAppsAccessGraphicsCaptureProgrammatic

98
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -1,7 +1,7 @@
---
title: RemoteDesktopServices Policy CSP
description: Learn more about the RemoteDesktopServices Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -156,7 +156,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockLegacyAuthn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisconnectOnLockLegacyAuthn-Applicability-End -->
<!-- DisconnectOnLockLegacyAuthn-OmaUri-Begin -->
@ -166,7 +166,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockLegacyAuthn-OmaUri-End -->
<!-- DisconnectOnLockLegacyAuthn-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
This policy applies only when using legacy authentication to authenticate to the remote PC. Legacy authentication is limited to username and password, or certificates like smartcards. Legacy authentication doesn't leverage the Microsoft identity platform, such as Microsoft Entra ID. Legacy authentication includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
- If you enable this policy setting, Remote Desktop connections using legacy authentication will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and re-enter their credentials when prompted.
- If you disable or don't configure this policy setting, Remote Desktop connections using legacy authentication will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
<!-- DisconnectOnLockLegacyAuthn-Description-End -->
<!-- DisconnectOnLockLegacyAuthn-Editable-Begin -->
@ -183,7 +190,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockLegacyAuthn-DFProperties-End -->
<!-- DisconnectOnLockLegacyAuthn-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -191,7 +197,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_POLICY |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Disconnect remote session on lock for legacy authentication |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fDisconnectOnLockLegacy |
| ADMX File Name | TerminalServer.admx |
<!-- DisconnectOnLockLegacyAuthn-AdmxBacked-End -->
<!-- DisconnectOnLockLegacyAuthn-Examples-Begin -->
@ -206,7 +217,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-OmaUri-Begin -->
@ -216,7 +227,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockMicrosoftIdentityAuthn-OmaUri-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
This policy applies only when using an identity provider that uses the Microsoft identity platform, such as Microsoft Entra ID, to authenticate to the remote PC. This policy doesn't apply when using Legacy authentication which includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
- If you enable or don't configure this policy setting, Remote Desktop connections using the Microsoft identity platform will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and can use passwordless authentication if configured.
- If you disable this policy setting, Remote Desktop connections using the Microsoft identity platform will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Description-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Editable-Begin -->
@ -233,7 +251,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockMicrosoftIdentityAuthn-DFProperties-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -241,7 +258,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_AAD_POLICY |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Disconnect remote session on lock for Microsoft identity platform authentication |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fDisconnectOnLockMicrosoftIdentity |
| ADMX File Name | TerminalServer.admx |
<!-- DisconnectOnLockMicrosoftIdentityAuthn-AdmxBacked-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Examples-Begin -->
@ -439,7 +461,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitClientToServerClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LimitClientToServerClipboardRedirection-Applicability-End -->
<!-- LimitClientToServerClipboardRedirection-OmaUri-Begin -->
@ -453,7 +475,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitClientToServerClipboardRedirection-OmaUri-End -->
<!-- LimitClientToServerClipboardRedirection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to restrict clipboard data transfers from client to server.
- If you enable this policy setting, you must choose from the following behaviors:
- Disable clipboard transfers from client to server.
- Allow plain text copying from client to server.
- Allow plain text and images copying from client to server.
- Allow plain text, images and Rich Text Format copying from client to server.
- Allow plain text, images, Rich Text Format and HTML copying from client to server.
- If you disable or don't configure this policy setting, users can copy arbitrary contents from client to server if clipboard redirection is enabled.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
<!-- LimitClientToServerClipboardRedirection-Description-End -->
<!-- LimitClientToServerClipboardRedirection-Editable-Begin -->
@ -470,7 +510,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitClientToServerClipboardRedirection-DFProperties-End -->
<!-- LimitClientToServerClipboardRedirection-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -478,7 +517,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Restrict clipboard transfer from client to server |
| Location | Computer and User Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| ADMX File Name | TerminalServer.admx |
<!-- LimitClientToServerClipboardRedirection-AdmxBacked-End -->
<!-- LimitClientToServerClipboardRedirection-Examples-Begin -->
@ -493,7 +536,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitServerToClientClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LimitServerToClientClipboardRedirection-Applicability-End -->
<!-- LimitServerToClientClipboardRedirection-OmaUri-Begin -->
@ -507,7 +550,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitServerToClientClipboardRedirection-OmaUri-End -->
<!-- LimitServerToClientClipboardRedirection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to restrict clipboard data transfers from server to client.
- If you enable this policy setting, you must choose from the following behaviors:
- Disable clipboard transfers from server to client.
- Allow plain text copying from server to client.
- Allow plain text and images copying from server to client.
- Allow plain text, images and Rich Text Format copying from server to client.
- Allow plain text, images, Rich Text Format and HTML copying from server to client.
- If you disable or don't configure this policy setting, users can copy arbitrary contents from server to client if clipboard redirection is enabled.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
<!-- LimitServerToClientClipboardRedirection-Description-End -->
<!-- LimitServerToClientClipboardRedirection-Editable-Begin -->
@ -524,7 +585,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitServerToClientClipboardRedirection-DFProperties-End -->
<!-- LimitServerToClientClipboardRedirection-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -532,7 +592,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Restrict clipboard transfer from server to client |
| Location | Computer and User Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| ADMX File Name | TerminalServer.admx |
<!-- LimitServerToClientClipboardRedirection-AdmxBacked-End -->
<!-- LimitServerToClientClipboardRedirection-Examples-Begin -->

14
windows/client-management/mdm/policy-csp-search.md
View File

@ -1,7 +1,7 @@
---
title: Search Policy CSP
description: Learn more about the Search Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 08/06/2024
<!-- Search-Begin -->
# Policy CSP - Search
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Search-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Search-Editable-End -->
@ -648,7 +646,7 @@ The most restrictive value is `0` to now allow automatic language detection.
<!-- ConfigureSearchOnTaskbarMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSearchOnTaskbarMode-Applicability-End -->
<!-- ConfigureSearchOnTaskbarMode-OmaUri-Begin -->
@ -930,13 +928,13 @@ This policy setting configures whether or not locations on removable drives can
<!-- DoNotUseWebResults-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home.
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search.
- If you enable this policy setting, queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home.
- If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search.
- If you disable this policy setting, queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home.
- If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.
- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search, and if search highlights are shown in the search box and in search home.
- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search.
<!-- DoNotUseWebResults-Description-End -->
<!-- DoNotUseWebResults-Editable-Begin -->

8
windows/client-management/mdm/policy-csp-settingssync.md
View File

@ -1,7 +1,7 @@
---
title: SettingsSync Policy CSP
description: Learn more about the SettingsSync Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- SettingsSync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SettingsSync-Editable-End -->
@ -23,7 +21,7 @@ ms.date: 01/18/2024
<!-- DisableAccessibilitySettingSync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAccessibilitySettingSync-Applicability-End -->
<!-- DisableAccessibilitySettingSync-OmaUri-Begin -->
@ -84,7 +82,7 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
<!-- DisableLanguageSettingSync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableLanguageSettingSync-Applicability-End -->
<!-- DisableLanguageSettingSync-OmaUri-Begin -->

57
windows/client-management/mdm/policy-csp-smartscreen.md
View File

@ -1,7 +1,7 @@
---
title: SmartScreen Policy CSP
description: Learn more about the SmartScreen Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -29,20 +29,11 @@ ms.date: 01/31/2024
<!-- EnableAppInstallControl-OmaUri-End -->
<!-- EnableAppInstallControl-Description-Begin -->
<!-- Description-Source-ADMX -->
App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.
<!-- Description-Source-DDF-Forced -->
Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
- If you enable this setting, you must choose from the following behaviors:
- Turn off app recommendations.
- Show me app recommendations.
- Warn me before installing apps from outside the Store.
- Allow apps from Store only.
- If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet.
> [!NOTE]
> This policy will block installation only while the device is online. To block offline installation too, SmartScreen/PreventOverrideForFilesInShell and SmartScreen/EnableSmartScreenInShell policies should also be enabled. This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
<!-- EnableAppInstallControl-Description-End -->
<!-- EnableAppInstallControl-Editable-Begin -->
@ -110,23 +101,8 @@ App Install Control is a feature of Windows Defender SmartScreen that helps prot
<!-- EnableSmartScreenInShell-OmaUri-End -->
<!-- EnableSmartScreenInShell-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
- Warn and prevent bypass
- Warn.
- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
<!-- Description-Source-DDF-Forced -->
Allows IT Admins to configure SmartScreen for Windows.
<!-- EnableSmartScreenInShell-Description-End -->
<!-- EnableSmartScreenInShell-Editable-Begin -->
@ -188,23 +164,8 @@ Some information is sent to Microsoft about files and programs run on PCs with t
<!-- PreventOverrideForFilesInShell-OmaUri-End -->
<!-- PreventOverrideForFilesInShell-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
- Warn and prevent bypass
- Warn.
- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
<!-- Description-Source-DDF-Forced -->
Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files.
<!-- PreventOverrideForFilesInShell-Description-End -->
<!-- PreventOverrideForFilesInShell-Editable-Begin -->

79
windows/client-management/mdm/policy-csp-speakforme.md Normal file
View File

@ -0,0 +1,79 @@
---
title: SpeakForMe Policy CSP
description: Learn more about the SpeakForMe Area in Policy CSP.
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
<!-- SpeakForMe-Begin -->
# Policy CSP - SpeakForMe
<!-- SpeakForMe-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SpeakForMe-Editable-End -->
<!-- EnableSpeakForMe-Begin -->
## EnableSpeakForMe
<!-- EnableSpeakForMe-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableSpeakForMe-Applicability-End -->
<!-- EnableSpeakForMe-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/SpeakForMe/EnableSpeakForMe
```
<!-- EnableSpeakForMe-OmaUri-End -->
<!-- EnableSpeakForMe-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls whether to allow the creation of personal voices with SpeakForMe Accessibility Windows Application.
- If you enable this policy setting, then user can create their personal voice models.
- If you disable this policy setting, then user can't create their personal voice models with SpeakForMe.
- If you don't configure this policy setting (default), then users can launch the training flow and create their personal voice model through SpeakForMe.
<!-- EnableSpeakForMe-Description-End -->
<!-- EnableSpeakForMe-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableSpeakForMe-Editable-End -->
<!-- EnableSpeakForMe-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableSpeakForMe-DFProperties-End -->
<!-- EnableSpeakForMe-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- EnableSpeakForMe-AllowedValues-End -->
<!-- EnableSpeakForMe-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableSpeakForMe-Examples-End -->
<!-- EnableSpeakForMe-End -->
<!-- SpeakForMe-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- SpeakForMe-CspMoreInfo-End -->
<!-- SpeakForMe-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

27
windows/client-management/mdm/policy-csp-sudo.md
View File

@ -1,7 +1,7 @@
---
title: Sudo Policy CSP
description: Learn more about the Sudo Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 04/10/2024
<!-- Sudo-Begin -->
# Policy CSP - Sudo
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Sudo-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Sudo-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 04/10/2024
<!-- EnableSudo-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableSudo-Applicability-End -->
<!-- EnableSudo-OmaUri-Begin -->
@ -31,7 +29,20 @@ ms.date: 04/10/2024
<!-- EnableSudo-OmaUri-End -->
<!-- EnableSudo-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting controls use of the sudo.exe command line tool.
- If you enable this policy setting, then you may set a maximum allowed mode to run sudo in. This restricts the ways in which users may interact with command-line applications run with sudo. You may pick one of the following modes to allow sudo to run in:
"Disabled": sudo is entirely disabled on this machine. When the user tries to run sudo, sudo will print an error message and exit.
"Force new window": When sudo launches a command line application, it will launch that app in a new console window.
"Disable input": When sudo launches a command line application, it will launch the app in the current console window, but the user won't be able to type input to the command line app. The user may also choose to run sudo in "Force new window" mode.
"Normal": When sudo launches a command line application, it will launch the app in the current console window. The user may also choose to run sudo in "Force new window" or "Disable input" mode.
- If you disable this policy or don't configure it, the user will be able to run sudo.exe normally (after enabling the setting in the Settings app).
<!-- EnableSudo-Description-End -->
<!-- EnableSudo-Editable-Begin -->
@ -65,7 +76,11 @@ ms.date: 04/10/2024
| Name | Value |
|:--|:--|
| Name | EnableSudo |
| Path | Sudo > AT > System |
| Friendly Name | Configure the behavior of the sudo command |
| Location | Computer Configuration |
| Path | System |
| Registry Key Name | Software\Policies\Microsoft\Windows\Sudo |
| ADMX File Name | Sudo.admx |
<!-- EnableSudo-GpMapping-End -->
<!-- EnableSudo-Examples-Begin -->

20
windows/client-management/mdm/policy-csp-system.md
View File

@ -1,7 +1,7 @@
---
title: System Policy CSP
description: Learn more about the System Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 08/06/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- System-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- System-Editable-End -->
@ -431,7 +429,7 @@ This policy setting determines whether Windows is allowed to download fonts and
- If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text.
- If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally installed fonts.
- If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally-installed fonts.
- If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
<!-- AllowFontProviders-Description-End -->
@ -569,7 +567,7 @@ Specifies whether to allow app access to the Location service. Most restricted v
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See <https://go.microsoft.com/fwlink/?linkid=2184944> for more information.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
<!-- AllowMicrosoftManagedDesktopProcessing-Description-End -->
@ -888,7 +886,7 @@ To enable this behavior:
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
If you disable or don't configure this policy setting, devices enrolled to Windows Autopatch won't be able to take advantage of some deployment service features.
If you disable or don't configure this policy setting, devices enrolled to the Windows Update for Business deployment service won't be able to take advantage of some deployment service features.
<!-- AllowWUfBCloudProcessing-Description-End -->
<!-- AllowWUfBCloudProcessing-Editable-Begin -->
@ -1471,7 +1469,7 @@ This policy setting lets you prevent apps and features from working with files o
* Users can't access OneDrive from the OneDrive app and file picker.
* Windows Store apps can't access OneDrive using the WinRT API.
* Packaged Microsoft Store apps can't access OneDrive using the WinRT API.
* OneDrive doesn't appear in the navigation pane in File Explorer.
@ -1739,7 +1737,7 @@ This policy setting controls whether Windows records attempts to connect with th
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Description-Begin -->
<!-- Description-Source-DDF -->
Diagnostic files created when feedback is filed in the Feedback Hub app will always be saved locally. If this policy isn't present or set to false, users will be presented with the option to save locally. The default is to not save locally.
Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy isn't present or set to false, users will be presented with the option to save locally. The default is to not save locally.
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Description-End -->
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Editable-Begin -->
@ -1761,8 +1759,8 @@ Diagnostic files created when feedback is filed in the Feedback Hub app will alw
| Value | Description |
|:--|:--|
| 0 (Default) | False. The Feedback Hub won't always save a local copy of diagnostics that may be created when feedback is submitted. The user will have the option to do so. |
| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when feedback is submitted. |
| 0 (Default) | False. The Feedback Hub won't always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. |
| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. |
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-AllowedValues-End -->
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Examples-Begin -->
@ -1777,7 +1775,7 @@ Diagnostic files created when feedback is filed in the Feedback Hub app will alw
<!-- HideUnsupportedHardwareNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- HideUnsupportedHardwareNotifications-Applicability-End -->
<!-- HideUnsupportedHardwareNotifications-OmaUri-Begin -->

36
windows/client-management/mdm/policy-csp-systemservices.md
View File

@ -1,7 +1,7 @@
---
title: SystemServices Policy CSP
description: Learn more about the SystemServices Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 04/10/2024
<!-- SystemServices-Begin -->
# Policy CSP - SystemServices
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- SystemServices-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SystemServices-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 04/10/2024
<!-- ConfigureComputerBrowserServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureComputerBrowserServiceStartupMode-Applicability-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-OmaUri-Begin -->
@ -171,7 +169,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureIISAdminServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureIISAdminServiceStartupMode-Applicability-End -->
<!-- ConfigureIISAdminServiceStartupMode-OmaUri-Begin -->
@ -221,7 +219,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-OmaUri-Begin -->
@ -271,7 +269,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-OmaUri-Begin -->
@ -321,7 +319,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureLxssManagerServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureLxssManagerServiceStartupMode-Applicability-End -->
<!-- ConfigureLxssManagerServiceStartupMode-OmaUri-Begin -->
@ -371,7 +369,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-OmaUri-Begin -->
@ -421,7 +419,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-OmaUri-Begin -->
@ -471,7 +469,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-OmaUri-Begin -->
@ -521,7 +519,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-OmaUri-Begin -->
@ -571,7 +569,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-OmaUri-Begin -->
@ -621,7 +619,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-OmaUri-Begin -->
@ -671,7 +669,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-OmaUri-Begin -->
@ -721,7 +719,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWebManagementServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWebManagementServiceStartupMode-Applicability-End -->
<!-- ConfigureWebManagementServiceStartupMode-OmaUri-Begin -->
@ -771,7 +769,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-OmaUri-Begin -->
@ -821,7 +819,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-OmaUri-Begin -->
@ -871,7 +869,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-tenantrestrictions.md
View File

@ -1,7 +1,7 @@
---
title: TenantRestrictions Policy CSP
description: Learn more about the TenantRestrictions Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -41,9 +41,9 @@ When you enable this setting, compliant applications will be prevented from acce
<https://go.microsoft.com/fwlink/?linkid=2148762>
Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
Before enabling firewall protection, ensure that an App Control for Business policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding App Control for Business policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
For details about setting up WDAC with tenant restrictions, see <https://go.microsoft.com/fwlink/?linkid=2155230>
For details about setting up App Control with tenant restrictions, see <https://go.microsoft.com/fwlink/?linkid=2155230>
<!-- ConfigureTenantRestrictions-Description-End -->
<!-- ConfigureTenantRestrictions-Editable-Begin -->

413
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,18 +9,12 @@ ms.date: 09/11/2024
<!-- Update-Begin -->
# Policy CSP - Update
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Update-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Update-Editable-End -->
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
- [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
- [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate)
- [AllowOptionalContent](#allowoptionalcontent)
@ -61,7 +55,8 @@ Update CSP policies are listed below based on the group policy area:
- [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates)
- [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod)
- [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates)
- [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [ConfigureFeatureUpdateUninstallPeriod](#configurefeatureupdateuninstallperiod)
- [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours)
- [ScheduledInstallDay](#scheduledinstallday)
@ -76,6 +71,7 @@ Update CSP policies are listed below based on the group policy area:
- [SetEDURestart](#setedurestart)
- [UpdateNotificationLevel](#updatenotificationlevel)
- [Legacy Policies](#legacy-policies)
- [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
- [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays)
- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates)
- [AutoRestartNotificationSchedule](#autorestartnotificationschedule)
@ -99,188 +95,6 @@ Update CSP policies are listed below based on the group policy area:
- [ScheduleRestartWarning](#schedulerestartwarning)
- [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable)
## Windows Insider Preview
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Begin -->
### AlwaysAutoRebootAtScheduledTimeMinutes
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
```
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[15-180]` |
| Default Value | 15 |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AlwaysAutoRebootAtScheduledTime |
| Friendly Name | Always automatically restart at the scheduled time |
| Element Name | work (minutes) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
| ADMX File Name | WindowsUpdate.admx |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
```
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-Begin -->
<!-- Description-Source-DDF -->
When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured.
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForQualityUpdates
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
```
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-Begin -->
<!-- Description-Source-DDF -->
When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured.
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-End -->
## Manage updates offered from Windows Update
<!-- AllowNonMicrosoftSignedUpdate-Begin -->
@ -2518,8 +2332,8 @@ Number of days before feature updates are installed on devices automatically reg
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Name | ComplianceDeadlineForFU |
| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Deadline (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2578,7 +2392,7 @@ Number of days before quality updates are installed on devices automatically reg
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Deadline (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2633,7 +2447,7 @@ Minimum number of days from update installation until restarts occur automatical
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Grace period (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2687,8 +2501,8 @@ Minimum number of days from update installation until restarts occur automatical
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Name | ComplianceDeadlineForFU |
| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Grace Period (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2702,31 +2516,47 @@ Minimum number of days from update installation until restarts occur automatical
<!-- ConfigureDeadlineGracePeriodForFeatureUpdates-End -->
<!-- ConfigureDeadlineNoAutoReboot-Begin -->
### ConfigureDeadlineNoAutoReboot
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
<!-- ConfigureDeadlineNoAutoReboot-Applicability-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- ConfigureDeadlineNoAutoReboot-Applicability-End -->
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoReboot-OmaUri-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
```
<!-- ConfigureDeadlineNoAutoReboot-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoReboot-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured.
<!-- ConfigureDeadlineNoAutoReboot-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy lets you specify the number of days before feature updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
<!-- ConfigureDeadlineNoAutoReboot-Editable-Begin -->
Set deadlines for feature updates and quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
Set a grace period for feature updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
You can set the device to delay restarting until both the deadline and grace period have expired.
If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
This policy will override the following policies:
1. Specify deadline before auto restart for update installation
1. Specify Engaged restart transition and notification schedule for updates.
1. Always automatically restart at the scheduled time
1. Configure Automatic Updates.
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoReboot-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoReboot-DFProperties-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
@ -2734,36 +2564,115 @@ When enabled, devices won't automatically restart outside of active hours until
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoReboot-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoReboot-AllowedValues-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoReboot-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoReboot-GpMapping-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Name | ComplianceDeadlineForFU |
| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Don't auto-restart until end of grace period. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| ADMX File Name | WindowsUpdate.admx |
<!-- ConfigureDeadlineNoAutoReboot-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoReboot-Examples-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoReboot-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoReboot-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForQualityUpdates
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
```
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy lets you specify the number of days before quality updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
Set deadlines for quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
Set a grace period for quality updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
You can set the device to delay restarting until both the deadline and grace period have expired.
If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
This policy will override the following policies:
1. Specify deadline before auto restart for update installation
1. Specify Engaged restart transition and notification schedule for updates.
1. Always automatically restart at the scheduled time
1. Configure Automatic Updates.
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Don't auto-restart until end of grace period. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| ADMX File Name | WindowsUpdate.admx |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-End -->
<!-- ConfigureFeatureUpdateUninstallPeriod-Begin -->
### ConfigureFeatureUpdateUninstallPeriod
@ -3647,6 +3556,68 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
## Legacy Policies
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Begin -->
### AlwaysAutoRebootAtScheduledTimeMinutes
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
```
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[15-180]` |
| Default Value | 15 |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AlwaysAutoRebootAtScheduledTime |
| Friendly Name | Always automatically restart at the scheduled time |
| Element Name | work (minutes) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Legacy Policies |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
| ADMX File Name | WindowsUpdate.admx |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-End -->
<!-- AutoRestartDeadlinePeriodInDays-Begin -->
### AutoRestartDeadlinePeriodInDays

28
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -1,7 +1,7 @@
---
title: UserRights Policy CSP
description: Learn more about the UserRights Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- UserRights-Begin -->
# Policy CSP - UserRights
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- UserRights-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see [Well-known SID structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
@ -258,7 +256,7 @@ This user right allows a process to impersonate any user without authentication.
<!-- AdjustMemoryQuotasForProcess-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AdjustMemoryQuotasForProcess-Applicability-End -->
<!-- AdjustMemoryQuotasForProcess-OmaUri-Begin -->
@ -359,7 +357,7 @@ This user right determines which users can log on to the computer.
<!-- AllowLogOnThroughRemoteDesktop-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowLogOnThroughRemoteDesktop-Applicability-End -->
<!-- AllowLogOnThroughRemoteDesktop-OmaUri-Begin -->
@ -460,7 +458,7 @@ This user right determines which users can bypass file, directory, registry, and
<!-- BypassTraverseChecking-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- BypassTraverseChecking-Applicability-End -->
<!-- BypassTraverseChecking-OmaUri-Begin -->
@ -567,7 +565,7 @@ This user right determines which users and groups can change the time and date o
<!-- ChangeTimeZone-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ChangeTimeZone-Applicability-End -->
<!-- ChangeTimeZone-OmaUri-Begin -->
@ -1027,7 +1025,7 @@ This security setting determines which service accounts are prevented from regis
<!-- DenyLogOnAsBatchJob-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DenyLogOnAsBatchJob-Applicability-End -->
<!-- DenyLogOnAsBatchJob-OmaUri-Begin -->
@ -1076,7 +1074,7 @@ This security setting determines which accounts are prevented from being able to
<!-- DenyLogOnAsService-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DenyLogOnAsService-Applicability-End -->
<!-- DenyLogOnAsService-OmaUri-Begin -->
@ -1336,7 +1334,7 @@ Assigning this user right to a user allows programs running on behalf of that us
<!-- IncreaseProcessWorkingSet-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- IncreaseProcessWorkingSet-Applicability-End -->
<!-- IncreaseProcessWorkingSet-OmaUri-Begin -->
@ -1543,7 +1541,7 @@ This user right determines which accounts can use a process to keep data in phys
<!-- LogOnAsBatchJob-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LogOnAsBatchJob-Applicability-End -->
<!-- LogOnAsBatchJob-OmaUri-Begin -->
@ -1592,7 +1590,7 @@ This security setting allows a user to be logged-on by means of a batch-queue fa
<!-- LogOnAsService-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LogOnAsService-Applicability-End -->
<!-- LogOnAsService-OmaUri-Begin -->
@ -1889,7 +1887,7 @@ This user right determines which users can use performance monitoring tools to m
<!-- ProfileSystemPerformance-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ProfileSystemPerformance-Applicability-End -->
<!-- ProfileSystemPerformance-OmaUri-Begin -->
@ -1987,7 +1985,7 @@ This user right determines which users are allowed to shut down a computer from
<!-- ReplaceProcessLevelToken-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ReplaceProcessLevelToken-Applicability-End -->
<!-- ReplaceProcessLevelToken-OmaUri-Begin -->
@ -2088,7 +2086,7 @@ This user right determines which users can bypass file, directory, registry, and
<!-- ShutDownTheSystem-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ShutDownTheSystem-Applicability-End -->
<!-- ShutDownTheSystem-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -1,7 +1,7 @@
---
title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/31/2024
<!-- WebThreatDefense-Begin -->
# Policy CSP - WebThreatDefense
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WebThreatDefense-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
@ -23,7 +21,7 @@ ms.date: 01/31/2024
<!-- AutomaticDataCollection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AutomaticDataCollection-Applicability-End -->
<!-- AutomaticDataCollection-OmaUri-Begin -->

73
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -21,7 +21,7 @@ ms.date: 09/11/2024
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
@ -31,14 +31,12 @@ ms.date: 09/11/2024
<!-- DisableAIDataAnalysis-OmaUri-End -->
<!-- DisableAIDataAnalysis-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to determine whether end users have the option to allow snapshots to be saved on their PCs.
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
- If disabled, end users will have a choice to save snapshots of their screen on their PC and then use Recall to find things they've seen.
- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
- If the policy is enabled, end users won't be able to save snapshots on their PC.
- If the policy isn't configured, end users may or may not be able to save snapshots on their PC-depending on other policy configurations.
- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
<!-- DisableAIDataAnalysis-Description-End -->
<!-- DisableAIDataAnalysis-Editable-Begin -->
@ -70,7 +68,12 @@ This policy setting allows you to determine whether end users have the option to
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
| Friendly Name | Turn off Saving Snapshots for Windows |
| Location | User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | DisableAIDataAnalysis |
| ADMX File Name | WindowsCopilot.admx |
<!-- DisableAIDataAnalysis-GpMapping-End -->
<!-- DisableAIDataAnalysis-Examples-Begin -->
@ -203,6 +206,58 @@ This policy setting allows you to control whether Image Creator functionality is
<!-- DisableImageCreator-End -->
<!-- SetCopilotHardwareKey-Begin -->
## SetCopilotHardwareKey
<!-- SetCopilotHardwareKey-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetCopilotHardwareKey-Applicability-End -->
<!-- SetCopilotHardwareKey-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetCopilotHardwareKey
```
<!-- SetCopilotHardwareKey-OmaUri-End -->
<!-- SetCopilotHardwareKey-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
- If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
- If the policy isn't configured, Copilot will open if it's available in that country or region.
<!-- SetCopilotHardwareKey-Description-End -->
<!-- SetCopilotHardwareKey-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetCopilotHardwareKey-Editable-End -->
<!-- SetCopilotHardwareKey-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- SetCopilotHardwareKey-DFProperties-End -->
<!-- SetCopilotHardwareKey-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetCopilotHardwareKey |
| Path | WindowsCopilot > AT > WindowsComponents > WindowsCopilot |
<!-- SetCopilotHardwareKey-GpMapping-End -->
<!-- SetCopilotHardwareKey-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetCopilotHardwareKey-Examples-End -->
<!-- SetCopilotHardwareKey-End -->
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot

10
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -1,7 +1,7 @@
---
title: WindowsLogon Policy CSP
description: Learn more about the WindowsLogon Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -380,11 +380,11 @@ This policy setting allows you to control whether users see the first sign-in an
<!-- EnableMPRNotifications-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the configuration under which winlogon sends MPR notifications in the system.
This policy controls whether the user's password is included in the content of MPR notifications sent by winlogon in the system.
- If you enable this setting or don't configure it, winlogon sends MPR notifications if a credential manager is configured.
- If you disable this setting or don't configure it, winlogon sends MPR notifications with empty password fields of the user's authentication info.
- If you disable this setting, winlogon doesn't send MPR notifications.
- If you enable this setting, winlogon sends MPR notifications containing the user's password in the authentication info.
<!-- EnableMPRNotifications-Description-End -->
<!-- EnableMPRNotifications-Editable-Begin -->
@ -415,7 +415,7 @@ This policy controls the configuration under which winlogon sends MPR notificati
| Name | Value |
|:--|:--|
| Name | EnableMPRNotifications |
| Friendly Name | Enable MPR notifications for the system |
| Friendly Name | Configure the transmission of the user's password in the content of MPR notifications sent by winlogon. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |

52
windows/client-management/mdm/policy-csp-windowssandbox.md
View File

@ -1,7 +1,7 @@
---
title: WindowsSandbox Policy CSP
description: Learn more about the WindowsSandbox Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- WindowsSandbox-Begin -->
# Policy CSP - WindowsSandbox
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsSandbox-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsSandbox-Editable-End -->
@ -149,7 +147,7 @@ This policy setting enables or disables clipboard sharing with the sandbox.
<!-- AllowMappedFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowMappedFolders-Applicability-End -->
<!-- AllowMappedFolders-OmaUri-Begin -->
@ -159,8 +157,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
<!-- AllowMappedFolders-OmaUri-End -->
<!-- AllowMappedFolders-Description-Begin -->
<!-- Description-Source-DDF -->
Allow mapping folders into Windows Sandbox.
<!-- Description-Source-ADMX -->
This policy setting enables or disables mapping folders into sandbox.
- If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
- If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
- If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
- If you don't configure this policy setting, mapped folders will be enabled.
Note that there may be security implications of exposing folders from the host into the container.
<!-- AllowMappedFolders-Description-End -->
<!-- AllowMappedFolders-Editable-Begin -->
@ -184,7 +192,12 @@ Allow mapping folders into Windows Sandbox.
| Name | Value |
|:--|:--|
| Name | AllowMappedFolders |
| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
| Friendly Name | Allow mapping folders into Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowMappedFolders |
| ADMX File Name | WindowsSandbox.admx |
<!-- AllowMappedFolders-GpMapping-End -->
<!-- AllowMappedFolders-Examples-Begin -->
@ -457,7 +470,7 @@ Note that there may be security implications of exposing host video input to the
<!-- AllowWriteToMappedFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowWriteToMappedFolders-Applicability-End -->
<!-- AllowWriteToMappedFolders-OmaUri-Begin -->
@ -467,8 +480,18 @@ Note that there may be security implications of exposing host video input to the
<!-- AllowWriteToMappedFolders-OmaUri-End -->
<!-- AllowWriteToMappedFolders-Description-Begin -->
<!-- Description-Source-DDF -->
Allow Sandbox to write to mapped folders.
<!-- Description-Source-ADMX -->
This policy setting enables or disables mapping folders into sandbox.
- If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
- If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
- If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
- If you don't configure this policy setting, mapped folders will be enabled.
Note that there may be security implications of exposing folders from the host into the container.
<!-- AllowWriteToMappedFolders-Description-End -->
<!-- AllowWriteToMappedFolders-Editable-Begin -->
@ -492,8 +515,13 @@ Allow Sandbox to write to mapped folders.
| Name | Value |
|:--|:--|
| Name | AllowWriteToMappedFolders |
| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
| Name | AllowMappedFolders |
| Friendly Name | Allow mapping folders into Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowMappedFolders |
| ADMX File Name | WindowsSandbox.admx |
<!-- AllowWriteToMappedFolders-GpMapping-End -->
<!-- AllowWriteToMappedFolders-Examples-Begin -->

4
windows/client-management/mdm/toc.yml
View File

@ -387,7 +387,7 @@ items:
href: policy-csp-authentication.md
- name: Autoplay
href: policy-csp-autoplay.md
- name: BitLocker
- name: Bitlocker
href: policy-csp-bitlocker.md
- name: BITS
href: policy-csp-bits.md
@ -537,6 +537,8 @@ items:
href: policy-csp-settingssync.md
- name: SmartScreen
href: policy-csp-smartscreen.md
- name: SpeakForMe
href: policy-csp-speakforme.md
- name: Speech
href: policy-csp-speech.md
- name: Start

6
windows/configuration/taskbar/pinned-apps.md
View File

@ -50,9 +50,11 @@ The following steps describe how to configure the taskbar pinned applications us
1. Edit the XML file to meet your requirements and save it
1. Deploy the XML file to devices using configuration service provider (CSP), provisioning packages (PPKG), or group policy (GPO)
>[!IMPORTANT]
>If you use a provisioning package or `import-startlayout` to configure the taskbar, your configuration will be reapplied each time the `explorer.exe` process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using CSP or GPO.
> [!IMPORTANT]
> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the `explorer.exe` process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using CSP or GPO.
> [!CAUTION]
> The use of the `Import-StartLayout` PowerShell cmdlet to provision the Taskbar layout is no longer supported in Windows 11. The only supported configuration in Windows 11 is to use a provisioning package.
::: zone pivot="windows-10"
>[!NOTE]

8
windows/deployment/update/fod-and-lang-packs.md
View File

@ -13,7 +13,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
- ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
ms.date: 04/22/2024
ms.date: 10/01/2024
---
# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
@ -31,11 +31,13 @@ Due to these changes, the **Specify settings for optional component installation
The introduction of the **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<UpdateClass\>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) policy in Windows 10, version 2004 further complicated configuring settings for FoD and language pack content.
Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again. It's no longer necessary to use the **Specify settings for optional component installation and component repair** policy for FoD and language pack content.
Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again. It's no longer necessary to use the **Specify settings for optional component installation and component repair** policy for FoD and language pack content. This policy was modified starting in Windows 11, version 24H2 and the following options were removed:<!--8914508-->
- Never attempt to download payload from Windows Update
- Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)
## Version specific information for Features on Demand and language packs
Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP.
Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP. The policy was modified starting in Windows 11, version 24H2 to remove the unneeded options.<!--8914508-->
For Windows 10, version 2004 through Windows 11, version 21H2, clients can't download FoDs or language packs when **Specify settings for optional component installation and component repair** is set to Windows Update and **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<FeatureUpdates/QualityUpdates>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) for either feature or quality updates is set to WSUS. If you need this content, you can set **Specify settings for optional component installation and component repair** to Windows Update and then either:
- Change the source selection for feature and quality updates to Windows Update

3
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -29,6 +29,9 @@ sections:
- question: Will Windows Autopatch be available for state and local government customers?
answer: |
Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not supported.
- question: How do I access Windows Autopatch?
answer: |
You can access Windows Autopatch through Intune. For more information, see [Start using Windows Autopatch](../prepare/windows-autopatch-feature-activation.md#use-microsoft-intune-for-windows-autopatch) and [Prerequisites](../prepare/windows-autopatch-prerequisites.md) to ensure you meet the licensing requirements to activate all [Windows Autopatch features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses).
- name: Requirements
questions:
- question: What are the licensing requirements for Windows Autopatch?

12
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
ms.date: 09/16/2024
ms.date: 09/27/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -17,6 +17,9 @@ ms.reviewer: hathind
# What is Windows Autopatch?
> [!IMPORTANT]
> In September, Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement.
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
## Unique to Windows Autopatch
@ -38,7 +41,7 @@ Windows Autopatch helps you minimize the involvement of your scarce IT resources
[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
The goal of Windows Autopatch is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users. Once a device is registered with the service, features include:
The goal of Windows Autopatch is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users. Once a device is registered with the service, you have access to the following features through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431):
| Features included with Business Premium and A3+ licenses | Description |
| --- | --- |
@ -48,11 +51,14 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch.|
| [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.|
> [!IMPORTANT]
> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
### Windows Enterprise E3+ and F3 licenses
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
In addition to the features included in [Business Premium and A3+ licenses](#business-premium-and-a3-licenses), if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you have access to all of Windows Autopatch features in your tenant when you [activate Windows Autopatch](../prepare/windows-autopatch-feature-activation.md). Windows Autopatch features include:
In addition to the features included in [Business Premium and A3+ licenses](#business-premium-and-a3-licenses), if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you have access to all of Windows Autopatch features in your tenant. When you [activate Windows Autopatch](../prepare/windows-autopatch-feature-activation.md), you have access to the following features through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431):
| Features included in Windows Enterprise E3+ and F3 licenses | Description |
| --- | --- |

7
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
View File

@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
ms.date: 09/16/2024
ms.date: 09/27/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: concept-article
@ -19,6 +19,9 @@ ms.collection:
## Licenses and entitlements
> [!IMPORTANT]
> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
### [Business Premium and A3+](#tab/business-premium-a3-entitlements)
Business Premium and A3+ licenses include:
@ -41,7 +44,7 @@ For more information about specific service plans, see [Windows 10/11 Enterprise
### Feature entitlement
For more information about feature entitlement, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
For more information about feature entitlement, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). Features are accessed through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
| Symbol | Meaning |
| --- | --- |

4
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2024
description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
ms.date: 09/16/2024
ms.date: 09/27/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: whats-new
@ -27,7 +27,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
| All articles | Windows Update for Business deployment service unified under Windows Autopatch. For more information, see [What is Windows Autopatch?](../overview/windows-autopatch-overview.md)|
| All articles | Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities) to understand licensing and feature entitlement.|
## March 2024

1
windows/deployment/windows-enterprise-e3-overview.md
View File

@ -105,7 +105,6 @@ For more information about implementing Credential Guard, see the following reso
- [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
### AppLocker management
AppLocker in Windows Enterprise can be managed by using Group Policy. Group Policy requires having AD DS and that the Windows Enterprise devices are joined to an AD DS domain. AppLocker rules can be created by using Group Policy. The AppLocker rules can then be targeted to the appropriate devices.

12
windows/hub/index.yml
View File

@ -15,7 +15,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 08/27/2024
ms.date: 10/01/2024
highlightedContent:
# itemType: architecture | concept | deploy | download | get-started | how-to-guide | training | overview | quickstart | reference | sample | tutorial | video | whats-new
@ -25,13 +25,13 @@ highlightedContent:
itemType: get-started
url: /windows/whats-new/windows-11-overview
- title: Windows 11, version 23H2
- title: Windows 11, version 24H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-23h2
url: /windows/whats-new/whats-new-windows-11-version-24h2
- title: Windows 11, version 23H2 group policy settings reference
- title: Windows 11, version 24H2 group policy settings reference
itemType: download
url: https://www.microsoft.com/download/details.aspx?id=105668
url: https://www.microsoft.com/download/details.aspx?id=106255
- title: Windows administrative tools
itemType: concept
@ -73,7 +73,7 @@ conceptualContent:
- title: Privacy in Windows
links:
- url: /windows/privacy/required-diagnostic-events-fields-windows-11-22h2
- url: /windows/privacy/required-diagnostic-events-fields-windows-11-24h2
itemType: reference
text: Windows 11 required diagnostic data
- url: /windows/privacy/configure-windows-diagnostic-data-in-your-organization

31
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 04/24/2024
ms.date: 10/01/2024
ms.topic: reference
ms.collection: privacy-windows
---
@ -27,6 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
@ -903,7 +904,7 @@ The following fields are available:
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
- **DriverBlockOverridden** Is there's a driver block on the device that has been overridden?
- **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@ -949,7 +950,6 @@ The following fields are available:
- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
@ -1763,7 +1763,6 @@ The following fields are available:
The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@ -2186,7 +2185,7 @@ The following fields are available:
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
@ -2626,7 +2625,7 @@ Fires when the compatibility check completes. Gives the results from the check.
The following fields are available:
- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false.
- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement).
- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement).
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled
@ -4759,6 +4758,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
@ -5375,7 +5375,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''.
- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@ -5383,11 +5383,11 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Please see the wiki for additional information. Default: '-2'.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
@ -5398,8 +5398,8 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
- **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
@ -5409,9 +5409,9 @@ The following fields are available:
- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
- **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
- **eventType** A string indicating the type of the event.
- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
@ -9069,7 +9069,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
This event indicates that update activity was blocked because it is within the active hours window. The data collected with this event is used to help keep Windows secure and up to date.
This event indicates that update activity was blocked because it's within the active hours window. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@ -10232,6 +10232,3 @@ The following fields are available:
- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license.
- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application.
- **UserId** The XUID (Xbox User ID) of the current user.

2
windows/privacy/index.yml
View File

@ -39,7 +39,7 @@ productDirectory:
- title: Windows 11 required diagnostic data
imageSrc: /media/common/i_extend.svg
summary: Learn more about basic Windows diagnostic data events and fields collected.
url: required-diagnostic-events-fields-windows-11-22H2.md
url: required-diagnostic-events-fields-windows-11-24H2.md
- title: Windows 10 required diagnostic data
imageSrc: /media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy

204
windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
View File

@ -8,7 +8,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 02/29/2024
ms.date: 10/01/2024
ms.topic: reference
ms.collection: privacy-windows
---
@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
@ -128,6 +129,7 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser binary generating the events.
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
@ -780,6 +782,7 @@ The following fields are available:
- **AppraiserVersion** Appraiser version.
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@ -1309,7 +1312,6 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
## Common data fields
### Ms.Device.DeviceInventoryChange
@ -1725,7 +1727,7 @@ The following fields are available:
### Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and won't produce AppHang events.
The following fields are available:
@ -1751,31 +1753,6 @@ The following fields are available:
## Holographic events
### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
- **SessionID** Unique value for each attempt.
- **TargetAsId** The sequence number for the process.
- **windowInstanceId** Unique value for each window instance.
### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
- **EventHistory** Unique number of event history.
- **ExternalComponentState** State of external component.
- **LastEvent** Unique number of last event.
- **SessionID** Unique value for each attempt.
- **TargetAsId** The sequence number for the process.
- **windowInstanceId** Unique value for each window instance.
### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated
This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly.
@ -2247,6 +2224,22 @@ The following fields are available:
- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
### Microsoft.Edge.Crashpad.HangEvent
This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
The following fields are available:
- **app_name** The name of the hanging process.
- **app_session_guid** Encodes the boot session, process, and process start time.
- **app_version** The version of the hanging process.
- **client_id_hash** Hash of the browser client id to help identify the installation.
- **etag** Identifier to help identify running browser experiments.
- **hang_source** Identifies how the hang was detected.
- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
## OneSettings events
### Microsoft.Windows.OneSettingsClient.Status
@ -2273,105 +2266,29 @@ The following fields are available:
## Other events
### Microsoft.Edge.Crashpad.HangEvent
### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
- **app_name** The name of the hanging process.
- **app_session_guid** Encodes the boot session, process, and process start time.
- **app_version** The version of the hanging process.
- **client_id_hash** Hash of the browser client id to help identify the installation.
- **etag** Identifier to help identify running browser experiments.
- **hang_source** Identifies how the hang was detected.
- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
- **SessionID** Unique value for each attempt.
- **TargetAsId** The sequence number for the process.
- **windowInstanceId** Unique value for each window instance.
### Microsoft.Gaming.Critical.Error
### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
Common error event used by the Gaming Telemetry Library to provide centralized monitoring for critical errors logged by callers using the library.
This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
- **callStack** List of active subroutines running during error occurrence.
- **componentName** Friendly name meant to represent what feature area this error should be attributed to. Used for aggregations and pivots of data.
- **customAttributes** List of custom attributes.
- **errorCode** Error code.
- **extendedData** JSON blob representing additional, provider-level properties common to the component.
- **featureName** Friendly name meant to represent which feature this should be attributed to.
- **identifier** Error identifier.
- **message** Error message.
- **properties** List of properties attributed to the error.
### Microsoft.Gaming.Critical.ProviderRegistered
Indicates that a telemetry provider has been registered with the Gaming Telemetry Library.
The following fields are available:
- **providerNamespace** The telemetry Namespace for the registered provider.
### Microsoft.Gaming.OOBE.HDDBackup
This event describes whether an External HDD back up has been found.
The following fields are available:
- **backupVersion** version number of backup.
- **extendedData** JSON blob representing additional, provider-level properties common to the component.
- **hasConsoleSettings** Indicates whether the console settings stored.
- **hasUserSettings** Indicates whether the user settings stored.
- **hasWirelessProfile** Indicates whether the wireless profile stored.
- **hddBackupFound** Indicates whether hdd backup is found.
- **osVersion** Operating system version.
### Microsoft.Gaming.OOBE.OobeComplete
This event is triggered when OOBE activation is complete.
The following fields are available:
- **allowAutoUpdate** Allows auto update.
- **allowAutoUpdateApps** Allows auto update for apps.
- **appliedTransferToken** Applied transfer token.
- **connectionType** Connection type.
- **curSessionId** Current session id.
- **extendedData** JSON blob representing additional, provider-level properties common to the component.
- **instantOn** Instant on.
- **moobeAcceptedState** Moobe accepted state.
- **phaseOneElapsedTimeMs** Total elapsed time in milliseconds for phase 1.
- **phaseOneVersion** Version of phase 1.
- **phaseTwoElapsedTimeMs** Total elapsed time in milliseconds for phase 2.
- **phaseTwoVersion** Version of phase 2.
- **systemUpdateRequired** Indicates whether a system update required.
- **totalElapsedTimeMs** Total elapsed time in milliseconds of all phases.
- **usedCloudBackup** Indicates whether cloud backup is used.
- **usedHDDBackup** Indicates whether HDD backup is used.
- **usedOffConsole** Indicates whether off console is used.
### Microsoft.Gaming.OOBE.SessionStarted
This event is sent at the start of OOBE session.
The following fields are available:
- **customAttributes** customAttributes.
- **extendedData** extendedData.
### Microsoft.Surface.Mcu.Prod.CriticalLog
Error information from Surface device firmware.
The following fields are available:
- **CrashLog** MCU crash log
- **criticalLogSize** Log size
- **CUtility::GetTargetNameA(target)** Product identifier.
- **productId** Product identifier
- **uniqueId** Correlation ID that can be used with Watson to get more details about the failure.
- **EventHistory** Unique number of event history.
- **ExternalComponentState** State of external component.
- **LastEvent** Unique number of last event.
- **SessionID** Unique value for each attempt.
- **TargetAsId** The sequence number for the process.
- **windowInstanceId** Unique value for each window instance.
### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
@ -2409,6 +2326,7 @@ The following fields are available:
- **Action** Action string indicating place of failure
- **hr** Return HRESULT code
### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateStarted
Event that indicates secure boot update has started.
@ -2419,22 +2337,6 @@ The following fields are available:
- **SecureBootUpdateCaller** Enum value indicating if this is a servicing or an upgrade.
### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
- **CV** The correlation vector.
- **GlobalEventCounter** The global event counter for all telemetry on the device.
- **UpdateAssistantStateDownloading** True at the start Downloading.
- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
- **UpdateAssistantStateInstalling** True at the start of Installing.
- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
- **UpdateAssistantVersion** Current package version of UpdateAssistant.
### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
This event fires when HVCI is already enabled so no need to continue auto-enablement.
@ -2670,6 +2572,19 @@ The following fields are available:
- **Ver** Schema version.
### Microsoft.Surface.Mcu.Prod.CriticalLog
Error information from Surface device firmware.
The following fields are available:
- **CrashLog** MCU crash log
- **criticalLogSize** Log size
- **CUtility::GetTargetNameA(target)** Product identifier.
- **productId** Product identifier
- **uniqueId** Correlation ID that can be used with Watson to get more details about the failure.
### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly.
@ -2710,6 +2625,24 @@ The following fields are available:
- **UpdateAttempted** Indicates if installation of the current update has been attempted before.
## Update Assistant events
### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
- **CV** The correlation vector.
- **GlobalEventCounter** The global event counter for all telemetry on the device.
- **UpdateAssistantStateDownloading** True at the start Downloading.
- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
- **UpdateAssistantStateInstalling** True at the start of Installing.
- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
- **UpdateAssistantVersion** Current package version of UpdateAssistant.
## Update events
### Update360Telemetry.FellBackToDownloadingAllPackageFiles
@ -3574,7 +3507,7 @@ The following fields are available:
- **flightMetadata** Contains the FlightId and the build being flighted.
- **objectId** Unique value for each Update Agent mode.
- **relatedCV** Correlation vector value generated from the latest USO scan.
- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCancelled.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **sessionId** Unique value for each Update Agent mode attempt.
@ -3758,6 +3691,3 @@ The following fields are available:
- **SessionId** The UpdateAgent “SessionId” value.
- **UpdateId** Unique identifier for the Update.
- **WuId** Unique identifier for the Windows Update client.

4266
windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md Normal file
View File

File diff suppressed because it is too large Load Diff

46
windows/privacy/required-windows-11-diagnostic-events-and-fields.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 04/24/2024
ms.date: 10/01/2024
ms.collection: privacy-windows
ms.topic: reference
---
@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 10, versions 22H2 and 21H2](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
@ -167,7 +168,6 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser binary generating the events.
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
@ -438,7 +438,7 @@ The following fields are available:
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
- **DriverBlockOverridden** Is there's a driver block on the device that has been overridden?
- **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@ -1475,7 +1475,7 @@ The following fields are available:
- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **CDJType** Represents the type of cloud domain joined for the machine.
- **CommercialId** Represents the GUID for the commercial entity that the device is a member of.  Will be used to reflect insights back to customers.
- **CommercialId** Represents the GUID for the commercial entity that the device is a member of. Will be used to reflect insights back to customers.
- **ContainerType** The type of container, such as process or virtual machine hosted.
- **EnrollmentType** Defines the type of MDM enrollment on the device.
- **HashedDomain** The hashed representation of the user domain used for login.
@ -1490,7 +1490,6 @@ The following fields are available:
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
### Census.Firmware
This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date.
@ -1956,6 +1955,7 @@ The following fields are available:
Fires when HVCI is already enabled so no need to continue auto-enablement.
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed
Fires when driver scanning fails to get results.
@ -2197,6 +2197,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
## Common data fields
### Ms.Device.DeviceInventoryChange
@ -2212,6 +2213,7 @@ The following fields are available:
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
## Component-based servicing events
### CbsServicingProvider.CbsCapabilityEnumeration
@ -2985,6 +2987,7 @@ The following fields are available:
- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state.
- **wilActivity** Windows Mixed Reality Portal app wilActivity ID.
### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming
This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
@ -3570,7 +3573,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
This event provides data on Unified Update Platform (UUP) products and what version they're at. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@ -3753,7 +3756,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''.
- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. See the wiki for additional information. Default: undefined.
- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@ -3761,13 +3764,13 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. See the wiki for additional information. Default: '-2'.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appLastLaunchTime** The time when browser was last launched.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. See the wiki for additional information. Default: '0.0.0.0'.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
@ -3781,8 +3784,8 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventEventResult** An enum indicating the result of the event. See the wiki for additional information. Default: '0'.
- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. See the wiki for additional information.
- **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
@ -3794,9 +3797,9 @@ The following fields are available:
- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
- **appVersion** The version of the product install. See the wiki for additional information. Default: '0.0.0.0'.
- **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **eventType** A string indicating the type of the event. See the wiki for additional information.
- **eventType** A string indicating the type of the event.
- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
- **hwDiskType** Devices hardware disk type.
- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
@ -3996,7 +3999,6 @@ The following fields are available:
- **extendedData** GTL extended data section for each app to add its own extensions.
- **timeToActionMs** Time in MS for this Page Action.
### Microsoft.Surface.Mcu.Prod.CriticalLog
Error information from Surface device firmware.
@ -4312,7 +4314,7 @@ The following fields are available:
- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing)
- **EventType** Possible values are "Child", "Bundle", or "Driver"
- **FlightId** The unique identifier for each flight
- **IsNetworkMetered** Indicates whether Windows considered the current network to be metered"
- **IsNetworkMetered** Indicates whether Windows considered the current network to be "metered"
- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
@ -6355,7 +6357,7 @@ The following fields are available:
- **flightMetadata** Contains the FlightId and the build being flighted.
- **objectId** Unique value for each Update Agent mode.
- **relatedCV** Correlation vector value generated from the latest USO scan.
- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCancelled.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **sessionId** Unique value for each Update Agent mode attempt.
@ -6589,6 +6591,15 @@ The following fields are available:
- **WasPresented** True if the user interaction campaign is displayed to the user.
### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed.
## Windows Update mitigation events
### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete
@ -6841,6 +6852,3 @@ The following fields are available:
- **Flags** The flags passed to the hard reserve adjustment function.
- **PendingHardReserveAdjustment** The final change to the hard reserve size.
- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve.

55
windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 04/24/2024
ms.date: 10/01/2024
ms.collection: privacy-windows
ms.topic: reference
---
@ -31,6 +31,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Required diagnostic events and fields for Windows 11, version 24H2](required-diagnostic-events-fields-windows-11-24H2.md)
- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
@ -873,7 +874,7 @@ The following fields are available:
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
- **DriverBlockOverridden** Is there's a driver block on the device that has been overridden?
- **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@ -2476,7 +2477,8 @@ Fires when the compatibility check completes. Gives the results from the check.
The following fields are available:
- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false.
- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement).
- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement).
### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled
@ -4334,6 +4336,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd
This event sends basic metadata about ACPI PHAT Health Record structure on the machine. The data collected with this event is used to help keep Windows up to date.
@ -4608,6 +4611,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
@ -4858,7 +4862,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
This event provides data on Unified Update Platform (UUP) products and what version they're at. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@ -5148,7 +5152,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''.
- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@ -5156,13 +5160,13 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Please see the wiki for additional information. Default: '-2'.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appLastLaunchTime** The time when browser was last launched.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z.
@ -5180,8 +5184,8 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
- **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
@ -5195,9 +5199,9 @@ The following fields are available:
- **appUpdateCheckTargetChannel** Check for status showing the target release channel.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
- **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
- **eventType** A string indicating the type of the event.
- **expDeviceId** A non-unique resettable device ID to identify a device in experimentation.
- **expEtag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
@ -5618,6 +5622,7 @@ The following fields are available:
- **criticalLogSize** Log size
- **CUtility::GetTargetNameA(target)** Product identifier.
- **productId** Product identifier
- **SurfaceTelemetry_EventType** Required vs. Optional event
- **uniqueId** Correlation ID that can be used with Watson to get more details about the failure.
@ -5639,6 +5644,7 @@ This event sends information about the Operating System image name to Microsoft.
The following fields are available:
- **SurfaceTelemetry_EventType** Required vs. Optional event
- **szOsImageName** This is the image name that is running on the device.
@ -5691,6 +5697,7 @@ The following fields are available:
- **UpdateType** Indicates if it's DB or DBX update
- **WillResealSucceed** Indicates if TPM reseal operation is expected to succeed
### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateStarted
Event that indicates secure boot update has started.
@ -5746,9 +5753,7 @@ The following fields are available:
- **touchKeyboardDesktop** Touch keyboard desktop
- **touchKeyboardTablet** Touch keyboard tablet
- **triggerType** Trigger type
- **usePowershell** Use PowerShell
- **usePowershell** Use PowerShell.
## Privacy consent logging events
@ -6558,8 +6563,9 @@ The following fields are available:
- **CUtility::GetTargetNameA(Target)** Sub component name.
- **HealthLog** Health indicator log.
- **healthLogSize** 4KB.
- **PartA_PrivacyProduct** Product tag
- **productId** Identifier for product model.
- **SurfaceTelemetry_EventType** Required vs. Optional event
### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
@ -6568,9 +6574,25 @@ This event sends reason for SAM, PCH and SoC reset. The data collected with this
The following fields are available:
- **ControllerResetCause** The cause for the controller reset.
- **EcResetCause** EC reset cause.
- **FaultReset1Cause** Fault 1 reset cause.
- **FaultReset2Cause** Fault 2 reset cause.
- **HostResetCause** Host reset cause.
- **OffResetCause** Off reset cause.
- **OnResetCause** On reset cause.
- **PartA_PrivacyProduct** Product tag
- **PchResetCause** PCH reset cause.
- **PoffResetCause** Power Off reset cause.
- **PonResetCause** Power On reset cause.
- **S3ResetCause** S3 reset cause.
- **SamResetCause** SAM reset cause.
- **SamResetCauseExtBacklightState** SAM Reset Display Backlight state.
- **SamResetCauseExtLastPowerButtonTime** SAM Reset Last Power Button time.
- **SamResetCauseExtLastSshCommunicationTime** SAM Reset Last SSH Communication time.
- **SamResetCauseExtPostureStateReason** SAM Reset Last Posture State reason.
- **SamResetCauseExtRestartReason** SAM Reset Extended Restart reason.
- **SurfaceTelemetry_EventType** Required vs. Optional event.
- **WarmResetCause** Warm reset cause.
## Update Assistant events
@ -10019,6 +10041,3 @@ The following fields are available:
- **virtualMachineName** VM name.
- **waitForClientConnection** True if we should wait for client connection.
- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled.

2
windows/privacy/toc.yml
View File

@ -13,6 +13,8 @@
href: diagnostic-data-viewer-powershell.md
- name: Required Windows diagnostic data events and fields
items:
- name: Windows 11, version 24H2
href: required-diagnostic-events-fields-windows-11-24H2.md
- name: Windows 11, versions 23H2 and 22H2
href: required-diagnostic-events-fields-windows-11-22H2.md
- name: Windows 11, version 21H2

15
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md → windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md
View File

@ -1,23 +1,22 @@
---
title: Designing, creating, managing, and troubleshooting Windows Defender Application Control AppId Tagging policies
description: How to design, create, manage, and troubleshoot your WDAC AppId Tagging policies
title: Designing, creating, managing, and troubleshooting App Control for Business AppId Tagging policies
description: How to design, create, manage, and troubleshoot your App Control AppId Tagging policies
ms.localizationpriority: medium
ms.date: 04/27/2022
ms.date: 09/11/2024
ms.topic: conceptual
---
# WDAC Application ID (AppId) Tagging guide
# App Control Application ID (AppId) Tagging guide
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
## AppId Tagging Feature Overview
The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't.
The Application ID (AppId) Tagging Policy feature, while based off App Control for Business, doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't.
## AppId Tagging Feature Availability
The WDAC AppId Tagging feature is available on the following versions of the Windows platform:
The App Control AppId Tagging feature is available on the following versions of the Windows platform:
Client:
- Windows 10 20H1, 20H2, and 21H1 versions only

9
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md → windows/security/application-security/application-control/app-control-for-business/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
View File

@ -2,20 +2,19 @@
title: Testing and Debugging AppId Tagging Policies
description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully.
ms.localizationpriority: medium
ms.date: 04/29/2022
ms.date: 09/11/2024
ms.topic: troubleshooting
---
# Testing and Debugging AppId Tagging Policies
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
After deployment of the App Control AppId Tagging policy, App Control will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
## Verifying Tags on Running Processes
After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since Windows Defender Application Control (WDAC) can only tag processes created after the policy has been deployed.
After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since App Control for Business can only tag processes created after the policy has been deployed.
1. Download and Install the Windows Debugger

23
windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md → windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md
View File

@ -1,17 +1,16 @@
---
title: Deploying Windows Defender Application Control AppId tagging policies
description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment.
title: Deploying App Control for Business AppId tagging policies
description: How to deploy your App Control AppId tagging policies locally and globally within your managed environment.
ms.localizationpriority: medium
ms.date: 04/29/2022
ms.date: 09/11/2024
ms.topic: conceptual
---
# Deploying Windows Defender Application Control AppId tagging policies
# Deploying App Control for Business AppId tagging policies
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy:
Similar to App Control for Business policies, App Control AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy:
1. [Deploy AppId tagging policies with MDM](#deploy-appid-tagging-policies-with-mdm)
1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration-manager)
@ -20,23 +19,23 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagg
## Deploy AppId tagging policies with MDM
Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-wdac-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-appcontrol-policies-using-intune.md#deploy-app-control-policies-with-custom-oma-uri).
## Deploy AppId tagging policies with Configuration Manager
Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-wdac-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-appcontrol-policies-with-memcm.md#deploy-custom-app-control-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
### Deploy AppId tagging Policies via Scripting
Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy WDAC AppId tagging policies via scripting, see [Deploy WDAC policies using script](../deployment/deploy-wdac-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later.
Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy App Control AppId tagging policies via scripting, see [Deploy App Control policies using script](../deployment/deploy-appcontrol-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later.
### Deploying policies via the ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
Multiple App Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Intune's Custom OMA-URI capability.
> [!NOTE]
> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format Windows Defender Application Control policies.
> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format App Control for Business policies.

102
windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md Normal file
View File

@ -0,0 +1,102 @@
---
title: Create your App Control for Business AppId Tagging Policies
description: Create your App Control for Business AppId tagging policies for Windows devices.
ms.localizationpriority: medium
ms.date: 09/23/2024
ms.topic: conceptual
---
# Creating your App Control AppId Tagging Policies
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
## Create the policy using the App Control Wizard
You can use the App Control for Business Wizard and the PowerShell commands to create an App Control policy and convert it to an AppIdTagging policy. The App Control Wizard is available for download at the [App Control Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md).
1. Create a new base policy using the templates:
Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/appcontrol-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
:::image type="content" alt-text="Configuring the policy base and template." source="../images/appid-appcontrol-wizard-1.png" lightbox="../images/appid-appcontrol-wizard-1.png":::
> [!NOTE]
> If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
2. Set the following rule-options using the Wizard toggles:
:::image type="content" alt-text="Configuring the policy rule-options." source="../images/appid-appcontrol-wizard-2.png":::
3. Create custom rules:
Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules:
- Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security.
- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards.
- File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name.
- Package app name rules: Create a rule based off the package family name of an appx/msix.
- Hash rules: Create a rule based off the PE Authenticode hash of a file.
For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/appcontrol-wizard-create-base-policy.md#creating-custom-file-rules).
4. Convert to AppId Tagging Policy:
After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the user mode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
```powershell
Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
```
The policyID GUID is returned by the PowerShell command if successful.
## Create the policy using PowerShell
Using this method, you create an AppId Tagging policy directly using the App Control PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](appcontrol-appid-tagging-guide.md). In an elevate PowerShell instance:
1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [App Control File Rule Levels](../design/select-types-of-rules-to-create.md#table-2-app-control-for-business-policy---file-rule-levels) can be used in AppId rules:
```powershell
$rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath <path_to_application>
```
2. Create the AppId Tagging Policy. Replace the AppIdTagging Key-Value pair for your scenario:
```powershell
New-CIPolicy -rules $rule -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
```
3. Set the rule-options for the policy:
```powershell
Set-RuleOption -Option 0 .\AppIdPolicy.xml # Usermode Code Integrity (UMCI)
Set-RuleOption -Option 16 .\AppIdPolicy.xml # Refresh Policy no Reboot
Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection
```
If you're using filepath rules, you may want to set option 18. Otherwise, there's no need.
4. Set the name and ID on the policy, which is helpful for future debugging:
```powershell
Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml"
```
The policyID GUID is returned by the PowerShell command if successful.
## Deploy for Local Testing
After creating your AppId Tagging policy in the above steps, you can deploy the policy to your local machine for testing before broadly deploying the policy to your endpoints:
1. Depending on your deployment method, convert the xml to binary:
```powershell
Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip"
```
2. Optionally, deploy it for local testing:
```powershell
copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\
./RefreshPolicy.exe
```
RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925).
## Next Steps
For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md).

180
windows/security/application-security/application-control/windows-defender-application-control/TOC.yml → windows/security/application-security/application-control/app-control-for-business/TOC.yml
View File

@ -1,126 +1,126 @@
- name: Application Control for Windows
href: index.yml
- name: About application control for Windows
href: wdac.md
href: appcontrol.md
expanded: true
items:
- name: WDAC and AppLocker Overview
href: wdac-and-applocker-overview.md
- name: WDAC and AppLocker Feature Availability
- name: App Control and AppLocker Overview
href: appcontrol-and-applocker-overview.md
- name: App Control and AppLocker Feature Availability
href: feature-availability.md
- name: Virtualization-based protection of code integrity
href: ../introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: WDAC design guide
href: design/wdac-design-guide.md
href: ../introduction-to-virtualization-based-security-and-appcontrol.md
- name: Design guide
href: design/appcontrol-design-guide.md
items:
- name: Plan for WDAC policy lifecycle management
href: design/plan-wdac-management.md
- name: Design your WDAC policy
- name: Plan for App Control policy lifecycle management
href: design/plan-appcontrol-management.md
- name: Design your App Control policy
items:
- name: Understand WDAC policy design decisions
href: design/understand-wdac-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules
- name: Understand App Control policy design decisions
href: design/understand-appcontrol-policy-design-decisions.md
- name: Understand App Control policy rules and file rules
href: design/select-types-of-rules-to-create.md
items:
- name: Allow apps installed by a managed installer
href: design/configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
href: design/use-wdac-with-intelligent-security-graph.md
href: design/use-appcontrol-with-intelligent-security-graph.md
- name: Allow COM object registration
href: design/allow-com-object-registration-in-wdac-policy.md
- name: Use WDAC with .NET hardening
href: design/wdac-and-dotnet.md
- name: Script enforcement with Windows Defender Application Control
href: design/allow-com-object-registration-in-appcontrol-policy.md
- name: Use App Control with .NET hardening
href: design/appcontrol-and-dotnet.md
- name: Script enforcement with App Control for Business
href: design/script-enforcement.md
- name: Manage packaged apps with WDAC
href: design/manage-packaged-apps-with-wdac.md
- name: Use WDAC to control specific plug-ins, add-ins, and modules
href: design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand WDAC policy settings
href: design/understanding-wdac-policy-settings.md
- name: Use multiple WDAC policies
href: design/deploy-multiple-wdac-policies.md
- name: Create your WDAC policy
- name: Manage packaged apps with App Control
href: design/manage-packaged-apps-with-appcontrol.md
- name: Use App Control to control specific plug-ins, add-ins, and modules
href: design/use-appcontrol-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand App Control policy settings
href: design/understanding-appcontrol-policy-settings.md
- name: Use multiple App Control policies
href: design/deploy-multiple-appcontrol-policies.md
- name: Create your App Control policy
items:
- name: Example WDAC base policies
href: design/example-wdac-base-policies.md
- name: Policy creation for common WDAC usage scenarios
href: design/common-wdac-use-cases.md
- name: Example App Control base policies
href: design/example-appcontrol-base-policies.md
- name: Policy creation for common App Control usage scenarios
href: design/common-appcontrol-use-cases.md
items:
- name: Create a WDAC policy for lightly managed devices
href: design/create-wdac-policy-for-lightly-managed-devices.md
- name: Create a WDAC policy for fully managed devices
href: design/create-wdac-policy-for-fully-managed-devices.md
- name: Create a WDAC policy for fixed-workload devices
href: design/create-wdac-policy-using-reference-computer.md
- name: Create a WDAC deny list policy
href: design/create-wdac-deny-policy.md
- name: Applications that can bypass WDAC and how to block them
href: design/applications-that-can-bypass-wdac.md
- name: Create an App Control policy for lightly managed devices
href: design/create-appcontrol-policy-for-lightly-managed-devices.md
- name: Create an App Control policy for fully managed devices
href: design/create-appcontrol-policy-for-fully-managed-devices.md
- name: Create an App Control policy for fixed-workload devices
href: design/create-appcontrol-policy-using-reference-computer.md
- name: Create an App Control deny list policy
href: design/create-appcontrol-deny-policy.md
- name: Applications that can bypass App Control and how to block them
href: design/applications-that-can-bypass-appcontrol.md
- name: Microsoft recommended driver block rules
href: design/microsoft-recommended-driver-block-rules.md
- name: Use the WDAC Wizard tool
href: design/wdac-wizard.md
- name: Use the App Control Wizard tool
href: design/appcontrol-wizard.md
items:
- name: Create a base WDAC policy with the Wizard
href: design/wdac-wizard-create-base-policy.md
- name: Create a supplemental WDAC policy with the Wizard
href: design/wdac-wizard-create-supplemental-policy.md
- name: Editing a WDAC policy with the Wizard
href: design/wdac-wizard-editing-policy.md
- name: Creating WDAC Policy Rules from WDAC Events
href: design/wdac-wizard-parsing-event-logs.md
- name: Merging multiple WDAC policies with the Wizard
href: design/wdac-wizard-merging-policies.md
- name: WDAC deployment guide
href: deployment/wdac-deployment-guide.md
- name: Create a base App Control policy with the Wizard
href: design/appcontrol-wizard-create-base-policy.md
- name: Create a supplemental App Control policy with the Wizard
href: design/appcontrol-wizard-create-supplemental-policy.md
- name: Editing an App Control policy with the Wizard
href: design/appcontrol-wizard-editing-policy.md
- name: Creating App Control Policy Rules from App Control Events
href: design/appcontrol-wizard-parsing-event-logs.md
- name: Merging multiple App Control policies with the Wizard
href: design/appcontrol-wizard-merging-policies.md
- name: Deployment guide
href: deployment/appcontrol-deployment-guide.md
items:
- name: Deploy WDAC policies with MDM
href: deployment/deploy-wdac-policies-using-intune.md
- name: Deploy WDAC policies with Configuration Manager
href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md
- name: Deploy WDAC policies with group policy
href: deployment/deploy-wdac-policies-using-group-policy.md
- name: Audit WDAC policies
href: deployment/audit-wdac-policies.md
- name: Merge WDAC policies
href: deployment/merge-wdac-policies.md
- name: Enforce WDAC policies
href: deployment/enforce-wdac-policies.md
- name: Use code signing for added control and protection with WDAC
- name: Deploy App Control policies with MDM
href: deployment/deploy-appcontrol-policies-using-intune.md
- name: Deploy App Control policies with Configuration Manager
href: deployment/deploy-appcontrol-policies-with-memcm.md
- name: Deploy App Control policies with script
href: deployment/deploy-appcontrol-policies-with-script.md
- name: Deploy App Control policies with group policy
href: deployment/deploy-appcontrol-policies-using-group-policy.md
- name: Audit App Control policies
href: deployment/audit-appcontrol-policies.md
- name: Merge App Control policies
href: deployment/merge-appcontrol-policies.md
- name: Enforce App Control policies
href: deployment/enforce-appcontrol-policies.md
- name: Use code signing for added control and protection with App Control
href: deployment/use-code-signing-for-better-control-and-protection.md
items:
- name: Deploy catalog files to support WDAC
href: deployment/deploy-catalog-files-to-support-wdac.md
- name: Use signed policies to protect Windows Defender Application Control against tampering
href: deployment/use-signed-policies-to-protect-wdac-against-tampering.md
- name: "Optional: Create a code signing cert for WDAC"
href: deployment/create-code-signing-cert-for-wdac.md
- name: Disable WDAC policies
href: deployment/disable-wdac-policies.md
- name: WDAC operational guide
href: operations/wdac-operational-guide.md
- name: Deploy catalog files to support App Control
href: deployment/deploy-catalog-files-to-support-appcontrol.md
- name: Use signed policies to protect App Control for Business against tampering
href: deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md
- name: "Optional: Create a code signing cert for App Control"
href: deployment/create-code-signing-cert-for-appcontrol.md
- name: Disable App Control policies
href: deployment/disable-appcontrol-policies.md
- name: Operational guide
href: operations/appcontrol-operational-guide.md
items:
- name: WDAC debugging and troubleshooting
href: operations/wdac-debugging-and-troubleshooting.md
- name: Understanding Application Control event IDs
- name: App Control debugging and troubleshooting
href: operations/appcontrol-debugging-and-troubleshooting.md
- name: Understanding App Control event IDs
href: operations/event-id-explanations.md
- name: Understanding Application Control event tags
- name: Understanding App Control event tags
href: operations/event-tag-explanations.md
- name: Query WDAC events with Advanced hunting
- name: Query App Control events with Advanced hunting
href: operations/querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues
href: operations/known-issues.md
- name: Managed installer and ISG technical reference and troubleshooting guide
href: operations/configure-wdac-managed-installer.md
href: operations/configure-appcontrol-managed-installer.md
- name: CITool.exe technical reference
href: operations/citool-commands.md
- name: Inbox WDAC policies
href: operations/inbox-wdac-policies.md
- name: WDAC AppId Tagging guide
href: AppIdTagging/wdac-appid-tagging-guide.md
- name: Inbox App Control policies
href: operations/inbox-appcontrol-policies.md
- name: AppId Tagging guide
href: AppIdTagging/appcontrol-appid-tagging-guide.md
items:
- name: Creating AppId Tagging Policies
href: AppIdTagging/design-create-appid-tagging-policies.md

64
windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md Normal file
View File

@ -0,0 +1,64 @@
---
title: App Control and AppLocker Overview
description: Compare Windows application control technologies.
ms.localizationpriority: medium
ms.date: 09/11/2024
ms.topic: conceptual
---
# App Control for Business and AppLocker Overview
[!INCLUDE [Feature availability note](includes/feature-availability-note.md)]
Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: App Control for Business and AppLocker.
## App Control for Business
App Control was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
App Control policies apply to the managed computer as a whole and affects all users of the device. App Control rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md)
- The identity of the process that initiated the installation of the app and its binaries ([managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md))
- The [path from which the app or file is launched](design/select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary
> [!NOTE]
> App Control was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except to find where to deploy App Control policy via Group Policy.
### App Control System Requirements
App Control policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. App Control policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy App Control policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
For more information on which individual App Control features are available on specific App Control builds, see [App Control feature availability](feature-availability.md).
## AppLocker
AppLocker was introduced with Windows 7, and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end-users from running unapproved software on their computers but doesn't meet the servicing criteria for being a security feature.
AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries.
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file.
- The path from which the app or file is launched.
AppLocker is also used by some features of App Control, including [managed installer](design/configure-authorized-apps-deployed-with-a-managed-installer.md) and the [Intelligent Security Graph](design/use-appcontrol-with-intelligent-security-graph.md).
### AppLocker System Requirements
AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
AppLocker policies can be deployed using Group Policy or MDM.
## Choose when to use App Control or AppLocker
Generally, customers who are able to implement application control using App Control, rather than AppLocker, should do so. App Control is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements.
However, in some cases, AppLocker might be the more appropriate technology for your organization. AppLocker is best when:
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
- You need to apply different policies for different users or groups on shared computers.
- You don't want to enforce application control on application files such as DLLs or drivers.
AppLocker can also be deployed as a complement to App Control to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce App Control at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.

21
windows/security/application-security/application-control/windows-defender-application-control/wdac.md → windows/security/application-security/application-control/app-control-for-business/appcontrol.md
View File

@ -4,14 +4,13 @@ description: Application Control restricts which applications users are allowed
ms.localizationpriority: medium
ms.collection:
- tier3
ms.date: 08/30/2023
ms.date: 09/11/2024
ms.topic: overview
---
# Application Control for Windows
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
[!INCLUDE [Feature availability note](includes/feature-availability-note.md)]
With thousands of new malicious files created every day, using traditional methods like antivirus solutions-signature-based detection to fight against malware-provides an inadequate defense against new attacks.
@ -26,14 +25,14 @@ Application control is a crucial line of defense for protecting enterprises give
Windows 10 and Windows 11 include two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
- **Windows Defender Application Control (WDAC)**; and
- **App Control for Business**; and
- **AppLocker**
## WDAC and Smart App Control
## App Control and Smart App Control
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
| Value | Description |
|-------|-------------|
@ -46,7 +45,7 @@ Smart App Control is only available on clean installation of Windows 11 version
### Smart App Control Enforced Blocks
Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-appcontrol.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
- Infdefaultinstall.exe
- Microsoft.Build.dll
@ -57,7 +56,7 @@ Smart App Control enforces the [Microsoft Recommended Driver Block rules](design
## Related articles
- [WDAC design guide](design/wdac-design-guide.md)
- [WDAC deployment guide](deployment/wdac-deployment-guide.md)
- [WDAC operational guide](operations/wdac-operational-guide.md)
- [App Control design guide](design/appcontrol-design-guide.md)
- [App Control deployment guide](deployment/appcontrol-deployment-guide.md)
- [App Control operational guide](operations/appcontrol-operational-guide.md)
- [AppLocker overview](applocker/applocker-overview.md)

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md → windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
View File

@ -3,7 +3,7 @@ title: Add rules for packaged apps to existing AppLocker rule-set
description: This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# Add rules for packaged apps to existing AppLocker rule-set

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md → windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md
View File

@ -3,7 +3,7 @@ title: Administer AppLocker
description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# Administer AppLocker
@ -27,11 +27,11 @@ AppLocker helps administrators control how users can access and use files, such
| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This article for IT professionals describes the steps required to modify an AppLocker policy. |
| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This article discusses the steps required to test an AppLocker policy prior to deployment. |
| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker policies. |
| [Optimize AppLocker performance](optimize-applocker-performance.md) | This article for IT professionals describes how to optimize AppLocker policy enforcement. |
| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This article for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your policies. |
| [Working with AppLocker policies](working-with-applocker-policies.md) | This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. |
## Using the MMC snap-ins to administer AppLocker

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md
View File

@ -3,7 +3,7 @@ title: AppLocker architecture and components
description: This article for IT professional describes AppLockers basic architecture and its major components.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# AppLocker architecture and components

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md
View File

@ -3,7 +3,7 @@ title: AppLocker functions
description: This article for the IT professional lists the functions and security levels for AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# AppLocker functions

10
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md
View File

@ -1,23 +1,23 @@
---
title: AppLocker
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker policies.
ms.collection:
- tier3
- must-keep
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 01/03/2024
ms.date: 09/11/2024
---
# AppLocker
This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of Windows Defender Application Control.
This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of App Control for Business.
> [!NOTE]
> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [App Control for Business](../appcontrol-and-applocker-overview.md) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
> [!NOTE]
> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions#services-enforcement).
> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](rule-collection-extensions.md#services-enforcement).
AppLocker can help you:

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md
View File

@ -3,7 +3,7 @@ title: AppLocker deployment guide
description: This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# AppLocker deployment guide

6
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md
View File

@ -3,7 +3,7 @@ title: AppLocker design guide
description: This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/22/2023
ms.date: 09/11/2024
---
# AppLocker design guide
@ -12,14 +12,14 @@ This article for the IT professional introduces the design and planning steps re
This guide provides important designing and planning information for deploying application control policies by using AppLocker. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that addresses your specific application control requirements by department, organizational unit, or business group.
To understand if AppLocker is the correct application control solution for your organization, see [Windows Defender Application Control and AppLocker overview](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview).
To understand if AppLocker is the correct application control solution for your organization, see [App Control for Business and AppLocker overview](../appcontrol-and-applocker-overview.md).
## In this section
| Article | Description |
| --- | --- |
| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This article describes AppLocker design questions, possible answers, and other considerations when you plan a deployment of application control policies by using AppLocker. |
| [Determine your application control objectives](determine-your-application-control-objectives.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them using AppLocker. |
| [Determine your application control objectives](../appcontrol-and-applocker-overview.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them using AppLocker. |
| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This article describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. |
| [Select the types of rules to create](select-types-of-rules-to-create.md) | This article lists resources you can use when selecting your application control policy rules by using AppLocker. |
| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview article describes the process to follow when you're planning to deploy AppLocker rules. |

2
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md
View File

@ -3,7 +3,7 @@ title: AppLocker policy use scenarios
description: This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# AppLocker policy use scenarios

7
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md → windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md
View File

@ -3,13 +3,12 @@ title: AppLocker processes and interactions
description: This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 12/23/2023
ms.date: 09/11/2024
---
# AppLocker processes and interactions
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
[!INCLUDE [Feature availability note](../includes/feature-availability-note.md)]
This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
@ -77,7 +76,7 @@ There are three different types of conditions that can be applied to rules:
An AppLocker policy is a set of rule collections and their corresponding configured enforcement mode settings applied to one or more computers.
- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
- [Understand AppLocker enforcement settings](working-with-applocker-rules.md#enforcement-modes)
Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced.

Some files were not shown because too many files have changed in this diff Show More