deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Mo changes

Browse Source
This commit is contained in:
Vinay Pamnani 2023-04-11 15:37:44 -04:00
parent 00af39a152
commit e544f2a370
9 changed files with 44 additions and 591 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.openpublishing.redirection.json
View File

@ -6637,7 +6637,7 @@
}, },
{ {
"source_path": "windows/client-management/administrative-tools-in-windows-10.md", "source_path": "windows/client-management/administrative-tools-in-windows-10.md",
"redirect_url": "/windows/client-management/client-tools/administrative-tools-in-windows-10", "redirect_url": "/windows/client-management/client-tools/administrative-tools-in-windows",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -6652,7 +6652,7 @@
}, },
{ {
"source_path": "windows/client-management/group-policies-for-enterprise-and-education-editions.md", "source_path": "windows/client-management/group-policies-for-enterprise-and-education-editions.md",
"redirect_url": "/windows/client-management/client-tools/group-policies-for-enterprise-and-education-editions", "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -6672,7 +6672,7 @@
}, },
{ {
"source_path": "windows/client-management/new-policies-for-windows-10.md", "source_path": "windows/client-management/new-policies-for-windows-10.md",
"redirect_url": "/windows/client-management/client-tools/new-policies-for-windows-10", "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {

6
windows/client-management/client-tools/administrative-tools-in-windows-10.md → windows/client-management/client-tools/administrative-tools-in-windows.md
View File

@ -6,7 +6,7 @@ author: vinaypamnani-msft
ms.author: vinpa ms.author: vinpa
manager: aaroncz manager: aaroncz
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 03/28/2022 ms.date: 04/11/2023
ms.topic: article ms.topic: article
ms.collection: ms.collection:
- highpri - highpri
@ -21,7 +21,7 @@ appliesto:
**Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users. **Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users.
## Windows Tools folder (Windows 11) ## Windows Tools folder
The following graphic shows the **Windows Tools** folder in Windows 11: The following graphic shows the **Windows Tools** folder in Windows 11:
@ -31,7 +31,7 @@ The tools in the folder might vary depending on which edition of Windows you use
:::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png"::: :::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png":::
## Administrative Tools folder (Windows 10) ## Administrative Tools folder
The following graphic shows the **Administrative Tools** folder in Windows 10: The following graphic shows the **Administrative Tools** folder in Windows 10:

16
windows/client-management/client-tools/connect-to-remote-aadj-pc.md
View File

@ -1,11 +1,11 @@
--- ---
title: Connect to remote Azure Active Directory joined device (Windows) title: Connect to remote Azure Active Directory joined device
description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device. description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device.
ms.prod: windows-client ms.prod: windows-client
author: vinaypamnani-msft author: vinaypamnani-msft
ms.localizationpriority: medium ms.localizationpriority: medium
ms.author: vinpa ms.author: vinpa
ms.date: 01/18/2022 ms.date: 04/11/2023
manager: aaroncz manager: aaroncz
ms.topic: article ms.topic: article
appliesto: appliesto:
@ -19,11 +19,11 @@ ms.technology: itpro-manage
# Connect to remote Azure Active Directory joined device # Connect to remote Azure Active Directory joined device
From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP. Windows supports remote connections to devices joined to Active Directory s well as devices joined to Azure Active Directory (Azure AD) using Remote Desktop Protocol (RDP).
- Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
- Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication). - Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication).
## Prerequisites ## Prerequisites
- Both devices (local and remote) must be running a supported version of Windows. - Both devices (local and remote) must be running a supported version of Windows.
@ -39,20 +39,20 @@ Azure AD Authentication can be used on the following operating systems for both
- Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed. - Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.
- Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed. - Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.
- Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed. - Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.
There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from: There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from:
- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device. - [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device.
- Active Directory joined device. - Active Directory joined device.
- Workgroup device. - Workgroup device.
Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices. Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices.
To connect to the remote computer: To connect to the remote computer:
- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`. - Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`.
- Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files). - Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files).
- Specify the name of the remote computer and select **Connect**. - Specify the name of the remote computer and select **Connect**.
> [!NOTE] > [!NOTE]
> IP address cannot be used when **Use a web account to sign in to the remote computer** option is used. > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used.
@ -129,5 +129,3 @@ Remote Desktop Users group is used to grant users and groups permissions to remo
## Related articles ## Related articles
[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c)

34
windows/client-management/client-tools/group-policies-for-enterprise-and-education-editions.md
View File

@ -1,34 +0,0 @@
---
title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education.
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/14/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: troubleshooting
ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education.
| Policy name | Policy path | Comments |
| --- | --- | --- |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. </br></br>**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). |
| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |

58
windows/client-management/client-tools/mandatory-user-profile.md
View File

@ -1,11 +1,11 @@
--- ---
title: Create mandatory user profiles (Windows 10 and Windows 11) title: Create mandatory user profiles
description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
ms.prod: windows-client ms.prod: windows-client
author: vinaypamnani-msft author: vinaypamnani-msft
ms.author: vinpa ms.author: vinpa
ms.date: 09/14/2021 ms.date: 04/11/2023
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.topic: article ms.topic: article
ms.collection: ms.collection:
@ -19,26 +19,26 @@ appliesto:
# Create mandatory user profiles # Create mandatory user profiles
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile.
User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
## Profile extension for each Windows version ## Profile extension for each Windows version
The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version. The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
| Client operating system version | Server operating system version | Profile extension | | Client operating system version | Server operating system version | Profile extension |
| --- | --- | --- | |-------------------------------------|-------------------------------------------------|-------------------|
| Windows XP | Windows Server 2003 </br>Windows Server 2003 R2 | none | | Windows XP | Windows Server 2003 </br>Windows Server 2003 R2 | none |
| Windows Vista</br>Windows 7 | Windows Server 2008 </br>Windows Server 2008 R2 | v2 | | Windows Vista</br>Windows 7 | Windows Server 2008 </br>Windows Server 2008 R2 | v2 |
| Windows 8 | Windows Server 2012 | v3 | | Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 | | Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 | | Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 | | Windows 10, versions 1607 and later | Windows Server 2016 and Windows Server 2019 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning). For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning).
@ -48,10 +48,10 @@ First, you create a default user profile with the customizations that you want,
### How to create a default user profile ### How to create a default user profile
1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. 1. Sign in to a computer running Windows as a member of the local Administrator group. Do not use a domain account.
> [!NOTE] > [!NOTE]
> Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. > Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
@ -60,21 +60,21 @@ First, you create a default user profile with the customizations that you want,
1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. 1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10). 1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
> [!NOTE] > [!NOTE]
> It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
1. At a command prompt, type the following command and press **ENTER**. 1. At a command prompt, type the following command and press **ENTER**.
```console ```cmd
sysprep /oobe /reboot /generalize /unattend:unattend.xml sysprep /oobe /reboot /generalize /unattend:unattend.xml
``` ```
(Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) (Sysprep.exe is located at: `C:\Windows\System32\sysprep`. By default, Sysprep looks for `unattend.xml` in the same folder.)
> [!TIP] > [!TIP]
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open `%WINDIR%\System32\Sysprep\Panther\setupact.log` and look for an entry like the following:
> >
> ![Microsoft Bing Translator package error.](images/sysprep-error.png) > ![Microsoft Bing Translator package error.](images/sysprep-error.png)
> >
@ -94,7 +94,7 @@ First, you create a default user profile with the customizations that you want,
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607. 1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later.
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
@ -102,8 +102,6 @@ First, you create a default user profile with the customizations that you want,
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
![Example of Copy To UI with UNC path.](images/copy-to-path.png)
1. Click **OK** to copy the default user profile. 1. Click **OK** to copy the default user profile.
### How to make the user profile mandatory ### How to make the user profile mandatory
@ -127,7 +125,7 @@ In a domain, you modify properties for the user account to point to the mandator
1. Right-click the user name and open **Properties**. 1. Right-click the user name and open **Properties**.
1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile. 1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`.
1. Click **OK**. 1. Click **OK**.
@ -135,16 +133,16 @@ It may take some time for this change to replicate to all domain controllers.
## Apply policies to improve sign-in time ## Apply policies to improve sign-in time
When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.) When a user is configured with a mandatory profile, Windows starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table.
| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | | Group Policy setting | Windows 10 | Windows Server 2016 |
| --- | --- | --- | --- | --- | |-----------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|----------------------------------------|
| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | | Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) |
| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | | Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) |
| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | | Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) |
> [!NOTE] > [!NOTE]
> The Group Policy settings above can be applied in Windows 10 Professional edition. > The Group Policy settings above can be applied in Windows Professional edition.
## Related topics ## Related topics

507
windows/client-management/client-tools/new-policies-for-windows-10.md
View File

@ -1,507 +0,0 @@
---
title: New policies for Windows 10 (Windows 10)
description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/15/2021
ms.topic: reference
ms.technology: itpro-manage
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# New policies for Windows 10
As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference".
For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004.
The latest [group policy reference for Windows 10 version 2004 is available here](https://www.microsoft.com/download/101451).
## New Group Policy settings in Windows 10, version 1903
The following Group Policy settings were added in Windows 10, version 1903:
**System**
- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options
- System\Storage Sense\Allow Storage Sense
- System\Storage Sense\Allow Storage Sense Temporary Files cleanup
- System\Storage Sense\Configure Storage Sense
- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold
- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold
- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold
- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems
**Windows Components**
- Windows Components\App Privacy\Let Windows apps activate with voice
- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked
- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline
- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics
- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics
- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds)
- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds)
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections
- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
## New Group Policy settings in Windows 10, version 1809
The following Group Policy settings were added in Windows 10, version 1809:
**Start Menu and Taskbar**
- Start Menu and Taskbar\Force Start to be either full screen size or menu size
- Start Menu and Taskbar\Remove "Recently added" list from Start Menu
- Start Menu and Taskbar\Remove All Programs list from the Start menu
- Start Menu and Taskbar\Remove frequent programs list from the Start Menu
**System**
- System\Group Policy\Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services
- System\Group Policy\Configure Applications preference extension policy processing
- System\Group Policy\Configure Data Sources preference extension policy processing
- System\Group Policy\Configure Devices preference extension policy processing
- System\Group Policy\Configure Drive Maps preference extension policy processing
- System\Group Policy\Configure Environment preference extension policy processing
- System\Group Policy\Configure Files preference extension policy processing
- System\Group Policy\Configure Folder Options preference extension policy processing
- System\Group Policy\Configure Folders preference extension policy processing
- System\Group Policy\Configure Ini Files preference extension policy processing
- System\Group Policy\Configure Internet Settings preference extension policy processing
- System\Group Policy\Configure Local Users and Groups preference extension policy processing
- System\Group Policy\Configure Network Options preference extension policy processing
- System\Group Policy\Configure Network Shares preference extension policy processing
- System\Group Policy\Configure Power Options preference extension policy processing
- System\Group Policy\Configure Printers preference extension policy processing
- System\Group Policy\Configure Regional Options preference extension policy processing
- System\Group Policy\Configure Registry preference extension policy processing
- System\Group Policy\Configure Scheduled Tasks preference extension policy processing
- System\Group Policy\Configure Services preference extension policy processing
- System\Group Policy\Configure Shortcuts preference extension policy processing
- System\Group Policy\Configure Start Menu preference extension policy processing
- System\Group Policy\Logging and tracing\Configure Applications preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Data Sources preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Devices preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Drive Maps preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Environment preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Files preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Folder Options preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Folders preference logging and tracing
- System\Group Policy\Logging and tracing\Configure INI Files preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Internet Settings preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Local Users and Groups preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Network Options preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Network Shares preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Power Options preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Printers preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Regional Options preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Registry preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Scheduled Tasks preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Services preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Shortcuts preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Start Menu preference logging and tracing
- System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
- System\OS Policies\Allow Clipboard History
- System\OS Policies\Allow Clipboard synchronization across devices
**Windows Components**
- Windows Components\Data Collection and Preview Builds\Configure Microsoft 365 Update Readiness upload endpoint
- Windows Components\Data Collection and Preview Builds\Disable deleting diagnostic data
- Windows Components\Data Collection and Preview Builds\Disable diagnostic data viewer
- Windows Components\Delivery Optimization\[Reserved for future use] Cache Server Hostname
- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\DFS Management
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\File Server Resource Manager
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Share and Storage Management
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Storage Manager for SANs
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\DFS Management Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Disk Management Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\File Server Resource Manager Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Share and Storage Management Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Storage Manager for SANS Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Management Editor
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Starter GPO Editor
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Application snap-ins
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Applications preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Computers)
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Users)
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Data Sources preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Devices preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Drive Maps preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Environment preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Files preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folder Options preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folders preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Ini Files preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Internet Settings preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Local Users and Groups preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Options preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Shares preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Power Options preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Preferences tab
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Printers preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Regional Options preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Registry preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Scheduled Tasks preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Services preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Shortcuts preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Start Menu preference extension
- Windows Components\OOBE\Don't launch privacy settings experience on user logon
- Windows Components\OOBE\Don't launch privacy settings experience on user logon
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Do not use Remote Desktop Session Host server IP address when virtual IP address is not available
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Select the network adapter to be used for Remote Desktop IP Virtualization
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn off Windows Installer RDS Compatibility
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn on Remote Desktop IP Virtualization
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow remote start of unlisted programs
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Turn off Fair Share CPU Scheduling
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow time zone redirection
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Use RD Connection Broker load balancing
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Allow desktop composition for remote desktop sessions
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Always show desktop on connection
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Do not allow font smoothing
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Remove remote desktop wallpaper
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions
- Windows Components\Microsoft Defender Antivirus\Configure detection for potentially unwanted applications
- Windows Components\Microsoft Defender Antivirus\Scan\Configure low CPU priority for scheduled scans
- Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard
- Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard
- Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device
- Windows Components\Windows Defender Application Guard\Configure additional sources for untrusted files in Windows Defender Application Guard
- Windows Components\Windows Hello for Business\Use Windows Hello for Business certificates as smart card certificates
- Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes
- Windows Components\Windows Media Player\Prevent Automatic Updates
- Windows Components\Windows Media Player\Prevent CD and DVD Media Information Retrieval
- Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation
- Windows Components\Windows Media Player\Prevent Media Sharing
- Windows Components\Windows Media Player\Prevent Music File Media Information Retrieval
- Windows Components\Windows Media Player\Prevent Quick Launch Toolbar Shortcut Creation
- Windows Components\Windows Media Player\Prevent Radio Station Preset Retrieval
- Windows Components\Windows Media Player\Prevent Video Smoothing
- Windows Components\Windows Media Player\Networking\Configure HTTP Proxy
- Windows Components\Windows Media Player\Networking\Configure MMS Proxy
- Windows Components\Windows Media Player\Networking\Configure Network Buffering
- Windows Components\Windows Media Player\Networking\Configure RTSP Proxy
- Windows Components\Windows Media Player\Networking\Hide Network Tab
- Windows Components\Windows Media Player\Networking\Streaming Media Protocols
- Windows Components\Windows Media Player\Playback\Allow Screen Saver
- Windows Components\Windows Media Player\Playback\Prevent Codec Download
- Windows Components\Windows Media Player\User Interface\Do Not Show Anchor
- Windows Components\Windows Media Player\User Interface\Hide Privacy Tab
- Windows Components\Windows Media Player\User Interface\Hide Security Tab
- Windows Components\Windows Media Player\User Interface\Set and Lock Skin
- Windows Components\Windows Security\Account protection\Hide the Account protection area
- Windows Components\Windows Security\App and browser protection\Hide the App and browser protection area
- Windows Components\Windows Security\App and browser protection\Prevent users from modifying settings
- Windows Components\Windows Security\Device performance and health\Hide the Device performance and health area
- Windows Components\Windows Security\Device security\Disable the Clear TPM button
- Windows Components\Windows Security\Device security\Hide the Device security area
- Windows Components\Windows Security\Device security\Hide the Secure boot area
- Windows Components\Windows Security\Device security\Hide the Security processor (TPM) troubleshooter page
- Windows Components\Windows Security\Device security\Hide the TPM Firmware Update recommendation
- Windows Components\Windows Security\Enterprise Customization\Configure customized contact information
- Windows Components\Windows Security\Enterprise Customization\Configure customized notifications
- Windows Components\Windows Security\Enterprise Customization\Specify contact company name
- Windows Components\Windows Security\Enterprise Customization\Specify contact email address or Email ID
- Windows Components\Windows Security\Enterprise Customization\Specify contact phone number or Skype ID
- Windows Components\Windows Security\Enterprise Customization\Specify contact website
- Windows Components\Windows Security\Family options\Hide the Family options area
- Windows Components\Windows Security\Firewall and network protection\Hide the Firewall and network protection area
- Windows Components\Windows Security\Notifications\Hide all notifications
- Windows Components\Windows Security\Notifications\Hide non-critical notifications
- Windows Components\Windows Security\Systray\Hide Windows Security Systray
- Windows Components\Windows Security\Virus and threat protection\Hide the Ransomware data recovery area
- Windows Components\Windows Security\Virus and threat protection\Hide the Virus and threat protection area
- Windows Components\Windows Update\Display options for update notifications
- Windows Components\Windows Update\Remove access to "Pause updates" feature
**Control Panel**
- Control Panel\Settings Page Visibility
- Control Panel\Regional and Language Options\Allow users to enable online speech recognition services
**Network**
- Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network
## New Group Policy settings in Windows 10, version 1803
The following Group Policy settings were added in Windows 10, version 1803:
**System**
- System\Credentials Delegation\Encryption Oracle Remediation
- System\Group Policy\Phone-PC linking on this device
- System\OS Policies\Allow upload of User Activities
**Windows Components**
- Windows Components\App Privacy\Let Windows apps access an eye tracker device
- Windows Components\Cloud Content\Turn off Windows Spotlight on Settings
- Windows Components\Data Collection and Preview Builds\Allow device name to be sent in Windows diagnostic data
- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface
- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications
- Windows Components\Delivery Optimization\Maximum Background Download Bandwidth (percentage)
- Windows Components\Delivery Optimization\Maximum Foreground Download Bandwidth (percentage)
- Windows Components\Delivery Optimization\Select the source of Group IDs
- Windows Components\Delivery Optimization\Delay background download from http (in secs)
- Windows Components\Delivery Optimization\Delay Foreground download from http (in secs)
- Windows Components\Delivery Optimization\Select a method to restrict Peer Selection
- Windows Components\Delivery Optimization\Set Business Hours to Limit Background Download Bandwidth
- Windows Components\Delivery Optimization\Set Business Hours to Limit Foreground Download Bandwidth
- Windows Components\IME\Turn on Live Sticker
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow video capture redirection
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use hardware graphics adapters for all Remote Desktop Services sessions
- Windows Components\Search\Allow Cortana Page in OOBE on an Azure Active Directory account
- Windows Components\Store\Disable all apps from Microsoft Store
- Windows Components\Text Input\Allow Uninstallation of Language Features
- Windows Components\Text Input\Improve inking and typing recognition
- Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard
- Windows Components\Windows Defender Security Center\Account protection\Hide the Account protection area
- Windows Components\Windows Defender Security Center\Device security\Hide the Device security area
- Windows Components\Windows Defender Security Center\Device security\Hide the Security processor (TPM) troubleshooter page
- Windows Components\Windows Defender Security Center\Device security\Hide the Secure boot area
- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area
## New Group Policy settings in Windows 10, version 1709
The following Group Policy settings were added in Windows 10, version 1709:
**Control Panel**
- Control Panel\Allow Online Tips
**Network**
- Network\Network Connectivity Status Indicator\Specify global DNS
- Network\WWAN Service\WWAN UI Settings\Set Per-App Cellular Access UI Visibility
- Network\WWAN Service\Cellular Data Access\Let Windows apps access cellular data
**System**
- System\Device Health Attestation Service\Enable Device Health Attestation Monitoring and Reporting
- System\OS Policies\Enables Activity Feed
- System\OS Policies\Allow publishing of User Activities
- System\Power Management\Power Throttling Settings\Turn off Power Throttling
- System\Storage Health\Allow downloading updates to the Disk Failure Prediction Model
- System\Trusted Platform Module Services\Configure the system to clear the TPM if it is not in a ready state.
**Windows Components**
- Windows Components\App Privacy\Let Windows apps communicate with unpaired devices
- Windows Components\Data Collection and Preview Builds\Limit Enhanced diagnostic data to the minimum required by Windows Analytics
- Windows Components\Handwriting\Handwriting Panel Default Mode Docked
- Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing\Hide the button (next to the New Tab button) that opens Microsoft Edge
- Windows Components\MDM\Auto MDM Enrollment with Azure Active Directory Token
- Windows Components\Messaging\Allow Message Service Cloud Sync
- Windows Components\Microsoft Edge\Always show the Books Library in Microsoft Edge
- Windows Components\Microsoft Edge\Provision Favorites
- Windows Components\Microsoft Edge\Prevent changes to Favorites on Microsoft Edge
- Windows Components\Microsoft FIDO Authentication\Enable usage of FIDO devices to sign on
- Windows Components\OneDrive\Prevent OneDrive from generating network traffic until the user signs in to OneDrive
- Windows Components\Push To Install\Turn off Push To Install service
- Windows Components\Search\Allow Cloud Search
- Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard
- Windows Components\Windows Defender Application Guard\Allow auditing events in Windows Defender Application Guard
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure Controlled folder access
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Exclude files and paths from Attack Surface Reduction Rules
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure allowed applications
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure protected folders
- Windows Components\Windows Defender Exploit Guard\Exploit Protection\Use a common set of exploit protection settings
- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Virus and threat protection area
- Windows Components\Windows Defender Security Center\Firewall and network protection\Hide the Firewall and network protection area
- Windows Components\Windows Defender Security Center\App and browser protection\Hide the App and browser protection area
- Windows Components\Windows Defender Security Center\App and browser protection\Prevent users from modifying settings
- Windows Components\Windows Defender Security Center\Device performance and health\Hide the Device performance and health area
- Windows Components\Windows Defender Security Center\Family options\Hide the Family options area
- Windows Components\Windows Defender Security Center\Notifications\Hide all notifications
- Windows Components\Windows Defender Security Center\Notifications\Hide non-critical notifications
- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized notifications
- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized contact information
- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact company name
- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact phone number or Skype ID
- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact email address or Email ID
- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact website
- Windows Components\Windows Hello for Business\Configure device unlock factors
- Windows Components\Windows Hello for Business\Configure dynamic lock factors
- Windows Components\Windows Hello for Business\Turn off smart card emulation
- Windows Components\Windows Hello for Business\Allow enumeration of emulated smart card for all users
- Windows Components\Windows Update\Allow updates to be downloaded automatically over metered connections
- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update
## New Group Policy settings in Windows 10, version 1703
The following Group Policy settings were added in Windows 10, version 1703:
**Control Panel**
- Control Panel\Add or Remove Programs\Specify default category for Add New Programs
- Control Panel\Add or Remove Programs\Hide the "Add a program from CD-ROM or floppy disk" option
- Control Panel\Personalization\Prevent changing lock screen and logon image
**Network**
- Network\Background Intelligent Transfer Service (BITS)\Limit the maximum network bandwidth for BITS background transfers
- Network\Background Intelligent Transfer Service (BITS)\Allow BITS Peercaching
- Network\Background Intelligent Transfer Service (BITS)\Limit the age of files in the BITS Peercache
- Network\Background Intelligent Transfer Service (BITS)\Limit the BITS Peercache size
- Network\DNS Client\Allow NetBT queries for fully qualified domain names
- Network\Network Connections\Prohibit access to properties of components of a LAN connection
- Network\Network Connections\Ability to Enable/Disable a LAN connection
- Network\Offline Files\Turn on economical application of administratively assigned Offline Files
- Network\Offline Files\Configure slow-link mode
- Network\Offline Files\Enable Transparent Caching
- Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Set the Seed Server
- Network\Microsoft Peer-to-Peer Networking Services\Disable password strength validation for Peer Grouping
**System**
- System\App-V\Streaming\Location Provider
- System\App-V\Streaming\Certificate Filter For Client SSL
- System\Credentials Delegation\Allow delegating default credentials with NTLM-only server authentication
- System\Ctrl+Alt+Del Options\Remove Change Password
- System\Ctrl+Alt+Del Options\Remove Lock Computer
- System\Ctrl+Alt+Del Options\Remove Task Manager
- System\Ctrl+Alt+Del Options\Remove Logoff
- System\Device Installation\Do not send a Windows error report when a generic driver is installed on a device
- System\Device Installation\Prevent Windows from sending an error report when a device driver requests additional software during installation
- System\Locale Services\Disallow user override of locale settings
- System\Logon\Do not process the legacy run list
- System\Logon\Always use custom logon background
- System\Logon\Do not display network selection UI
- System\Logon\Block user from showing account details on sign-in
- System\Logon\Turn off app notifications on the lock screen
- System\User Profiles\Establish timeout value for dialog boxes
- System\Enable Windows NTP Server\Windows Time Service\Enable Windows NTP Client
**Windows Components**
- Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX Controls
- Windows Components\ActiveX Installer Service\Establish ActiveX installation policy for sites in Trusted zones
- Windows Components\Application Compatibility\Turn off Application Compatibility Engine
- Windows Components\Application Compatibility\Turn off Program Compatibility Assistant
- Windows Components\Application Compatibility\Turn off Steps Recorder
- Windows Components\Attachment Manager\Notify antivirus programs when opening attachments
- Windows Components\Biometrics\Allow the use of biometrics
- Windows Components\NetMeeting\Disable Whiteboard
- Windows Components\Data Collection and Preview Builds\Configure the Commercial ID
- Windows Components\File Explorer\Display the menu bar in File Explorer
- Windows Components\File History\Turn off File History
- Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Play animations in web pages
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Turn on Cross-Site Scripting Filter
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Cross-Site Scripting Filter
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Accelerators\Restrict Accelerators to those deployed through Group Policy
- Windows Components\Internet Explorer\Compatibility View\Turn on Internet Explorer 7 Standards Mode
- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider
- Windows Components\Microsoft Account\Block all consumer Microsoft account user authentication
- Windows Components\Microsoft Edge\Configure Autofill
- Windows Components\Microsoft Edge\Allow Developer Tools
- Windows Components\Microsoft Edge\Configure Do Not Track
- Windows Components\Microsoft Edge\Allow InPrivate browsing
- Windows Components\Microsoft Edge\Configure Password Manager
- Windows Components\Microsoft Edge\Configure Pop-up Blocker
- Windows Components\Microsoft Edge\Allow search engine customization
- Windows Components\Microsoft Edge\Configure search suggestions in Address bar
- Windows Components\Microsoft Edge\Set default search engine
- Windows Components\Microsoft Edge\Configure additional search engines
- Windows Components\Microsoft Edge\Configure the Enterprise Mode Site List
- Windows Components\Microsoft Edge\Prevent using Localhost IP address for WebRTC
- Windows Components\Microsoft Edge\Configure Start pages
- Windows Components\Microsoft Edge\Disable lockdown of Start pages
- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\.Net Framework Configuration
- Windows Components\Windows Installer\Prohibit use of Restart Manager
- Windows Components\Desktop Gadgets\Restrict unpacking and installation of gadgets that are not digitally signed.
- Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets
- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage
- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage on Windows 8.1
- Windows Components\OneDrive\Prevent OneDrive files from syncing over metered connections
- Windows Components\OneDrive\Save documents to OneDrive by default
- Windows Components\Smart Card\Allow certificates with no extended key usage certificate attribute
- Windows Components\Smart Card\Turn on certificate propagation from smart card
- Windows Components\Tablet PC\Pen UX Behaviors\Prevent flicks
- Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])
- Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring
- Windows Components\Microsoft Defender Antivirus\Signature Updates\Define file shares for downloading definition updates
- Windows Components\Microsoft Defender Antivirus\Signature Updates\Turn on scan after signature update
- Windows Components\File Explorer\Display confirmation dialog when deleting files
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Allow OpenSearch queries in File Explorer
- Windows Components\Windows Update\Remove access to use all Windows Update features
- Windows Components\Windows Update\Configure Automatic Updates
- Windows Components\Windows Update\Specify intranet Microsoft update service location
- Windows Components\Windows Update\Automatic Updates detection frequency
- Windows Components\Windows Update\Allow non-administrators to receive update notifications
- Windows Components\Windows Update\Allow Automatic Updates immediate installation
- Windows Components\Windows Update\Turn on recommended updates via Automatic Updates
- Windows Components\Shutdown Options\Turn off legacy remote shutdown interface
For a spreadsheet of Group Policy settings included in Windows 10 and Windows Server 2016, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627).
## New MDM policies
Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education include previous Windows Phone settings, and new or enhanced settings for Windows 10, such as:
- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
- Enhanced Bluetooth policies
- Passport and Hello
- Device update
- Hardware-based device health attestation
- [Kiosk mode](/windows/configuration/set-up-a-device-for-anyone-to-use), start screen, start menu layout
- Security
- [VPN](/windows/security/identity-protection/vpn/vpn-profile-options) and enterprise Wi-Fi management
- Certificate management
- Windows Tips
- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](../mdm/policy-configuration-service-provider.md).
If you use Microsoft Intune for MDM, you can [configure custom policies](/mem/intune/configuration/custom-settings-configure) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10).
No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](../mdm/activesync-csp.md) technical reference.
## Related topics
- [Group Policy Settings Reference Spreadsheet Windows 1803](https://www.microsoft.com/download/details.aspx?id=56946)
- [Manage corporate devices](../manage-corporate-devices.md)
- [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10)

2
windows/client-management/client-tools/quick-assist.md
View File

@ -1,6 +1,7 @@
--- ---
title: Use Quick Assist to help users title: Use Quick Assist to help users
description: Learn how IT Pros can use Quick Assist to help users. description: Learn how IT Pros can use Quick Assist to help users.
ms.date: 04/11/2023
ms.prod: windows-client ms.prod: windows-client
ms.topic: article ms.topic: article
ms.technology: itpro-manage ms.technology: itpro-manage
@ -15,7 +16,6 @@ appliesto:
ms.collection: ms.collection:
- highpri - highpri
- tier1 - tier1
ms.date: 03/06/2023
--- ---
# Use Quick Assist to help users # Use Quick Assist to help users

4
windows/client-management/client-tools/toc.yml
View File

@ -1,14 +1,12 @@
items: items:
- name: Windows Tools/Administrative Tools - name: Windows Tools/Administrative Tools
href: administrative-tools-in-windows-10.md href: administrative-tools-in-windows.md
- name: Use Quick Assist to help users - name: Use Quick Assist to help users
href: quick-assist.md href: quick-assist.md
- name: Connect to remote Azure Active Directory-joined PC - name: Connect to remote Azure Active Directory-joined PC
href: connect-to-remote-aadj-pc.md href: connect-to-remote-aadj-pc.md
- name: Create mandatory user profiles - name: Create mandatory user profiles
href: mandatory-user-profile.md href: mandatory-user-profile.md
- name: New policies for Windows 10
href: new-policies-for-windows-10.md
- name: Windows 10 default media removal policy - name: Windows 10 default media removal policy
href: change-default-removal-policy-external-storage-media.md href: change-default-removal-policy-external-storage-media.md
- name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education - name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education

2
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -28,7 +28,7 @@ This six-minute video demonstrates how users can bring in a new retail device an
> [!NOTE] > [!NOTE]
> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) > The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
This article offers guidance on strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: This article offers guidance on strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. It covers [management options](#reviewing-the-management-options-for-windows) plus the four stages of the device lifecycle:
- [Deployment and Provisioning](#deployment-and-provisioning) - [Deployment and Provisioning](#deployment-and-provisioning)
- [Identity and Authentication](#identity-and-authentication) - [Identity and Authentication](#identity-and-authentication)