Learn how you can bring together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data for small and midsize businesses (SMB).
Get help on the most common admin tasks in the Microsoft 365 Business admin center. The Microsoft 365 Business admin center is lot like the Office 365 admin center so the admin guidance we provide for Office 365 admin center also apply to Microsoft 365 Business.
Learn how you can bring together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data for small and midsize businesses (SMB).
Get help on the most common admin tasks in the Microsoft 365 Business admin center. The Microsoft 365 Business admin center is lot like the Office 365 admin center so the admin guidance we provide for Office 365 admin center also apply to Microsoft 365 Business.
diff --git a/bcs/support/images/pc_customer_m365bpreview_suspend.png b/bcs/support/images/pc_customer_m365bpreview_suspend.png
deleted file mode 100644
index 7017cf8105..0000000000
Binary files a/bcs/support/images/pc_customer_m365bpreview_suspend.png and /dev/null differ
diff --git a/bcs/support/images/pc_customer_m365bpreview_suspend_confirm.png b/bcs/support/images/pc_customer_m365bpreview_suspend_confirm.png
deleted file mode 100644
index f44337889b..0000000000
Binary files a/bcs/support/images/pc_customer_m365bpreview_suspend_confirm.png and /dev/null differ
diff --git a/bcs/support/images/pc_customer_reviewnewsubscription.png b/bcs/support/images/pc_customer_reviewnewsubscription.png
deleted file mode 100644
index 6f67c31383..0000000000
Binary files a/bcs/support/images/pc_customer_reviewnewsubscription.png and /dev/null differ
diff --git a/bcs/support/images/pc_customer_subscriptions.PNG b/bcs/support/images/pc_customer_subscriptions.PNG
deleted file mode 100644
index 77fba8ef8b..0000000000
Binary files a/bcs/support/images/pc_customer_subscriptions.PNG and /dev/null differ
diff --git a/bcs/support/images/pc_customer_subscriptions_1.png b/bcs/support/images/pc_customer_subscriptions_1.png
deleted file mode 100644
index fc27c2c26c..0000000000
Binary files a/bcs/support/images/pc_customer_subscriptions_1.png and /dev/null differ
diff --git a/bcs/support/images/pc_customer_userslicenses_m365b_validate.png b/bcs/support/images/pc_customer_userslicenses_m365b_validate.png
deleted file mode 100644
index 1af38b82af..0000000000
Binary files a/bcs/support/images/pc_customer_userslicenses_m365b_validate.png and /dev/null differ
diff --git a/bcs/support/microsoft-365-business-faqs.md b/bcs/support/microsoft-365-business-faqs.md
deleted file mode 100644
index 8dec00bbf8..0000000000
--- a/bcs/support/microsoft-365-business-faqs.md
+++ /dev/null
@@ -1,186 +0,0 @@
----
-title: Microsoft 365 Business Frequently Asked Questions
-description: Find answers to the most frequently asked questions about Microsoft 365 Business, a new solution designed for small and midsize businesses (SMB).
-author: CelesteDG
-ms.author: celested
-ms.topic: article
-ms.prod: microsoft-365-business
-ms.localizationpriority: high
-audience: microsoft-business
-keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers, business
-ms.date: 11/02/2017
----
-
-
-# Microsoft 365 Business Frequently Asked Questions
-
-## General
-
-### What is Microsoft 365 Business?
-Microsoft 365 is an integrated solution that brings together best-in-class productivity tools, security and device management capabilities for small to medium-sized businesses.
-
-**A holistic set of business productivity and collaboration tools**
-* Word, Excel, PowerPoint, Outlook, OneNote, Publisher, and Access
-* Exchange, OneDrive, Skype for Business, Microsoft Teams, SharePoint
-* Business apps from Office (Bookings, Outlook Customer Manager, MileIQ[1](#footnote1), Microsoft Listings[1](#footnote1), Microsoft Connections[1](#footnote1), Microsoft Invoicing[1](#footnote1))
-
-**Enterprise-grade device management and security capabilities**
-* App protection for Office mobile apps
-* Device management for Windows 10 PCs
-* Consistent security configuration across devices
-* Protection of company data across devices
-* Windows Defender, always-on and up-to-date
-
-**Simplified device deployment and user setup**
-* Single admin console to setup and manage users and devices
-* Auto-installation of Office apps on Windows 10 PCs
-* Always up-to-date Office + Windows 10
-* Streamlined deployment of PCs with Windows AutoPilot
-
-### Who should consider adopting Microsoft 365 Business?
-Microsoft 365 Business was built for small and medium-sized customers that have little to no IT resources on staff and want best-in-class productivity and collaboration capabilities of Office 365 together with device management and security solutions that safeguard business data. The Microsoft 365 Business customer is ready to move their IT operations to the cloud and is interested in maintaining a proactive stance to help protect data on both company and employee-owned devices.
-
-### How can I get Microsoft 365 Business for my business?
-Microsoft 365 Business may be purchased through a Microsoft Partner or directly from Microsoft. In choosing whether to purchase directly from Microsoft or via a Microsoft Partner, you should consider your on-staff capability and desire to maintain an IT infrastructure. A Microsoft Partner can help you deploy and manage your IT infrastructure including Microsoft solutions.
-
-### How much does Microsoft 365 Business cost?
-Microsoft 365 Business is offered at USD$20.00 user/month based on an _annual contract_ if purchased directly from Microsoft. When purchased through a Microsoft Partner, pricing can vary based on the services the partner provides and their pricing model for Microsoft 365 Business. There are no planned pricing discounts for government, education or non-profit organizations.
-
-### Is there a cap to how many Microsoft 365 Business seats a customer can have?
-Microsoft 365 Business was designed for small to medium sized businesses with low to medium IT complexity requirements. Customers may purchase up to 300 Microsoft 365 Business licenses for their organization. Customers can mix and match cloud subscriptions; as a result, depending on their organization’s IT requirements, customers may add Microsoft 365 Enterprise licenses to the same account.
-
-When considering an environment consisting of multiple subscription types, customers should work with their trusted IT advisors to determine how best to manage and secure the various subscriptions as Microsoft 365 Business and Microsoft 365 Enterprise use different capabilities to secure and manage applications and data.
-
-### Can I combine Microsoft 365 Business with other Microsoft subscription offerings?
-Yes, customers can combine their Microsoft 365 Business subscriptions with plans and add-ons from Azure, Dynamics 365, Enterprise Mobility + Security, and Office 365.
-
-### Is everyone in my business required to have a Microsoft 365 Business subscription?
-No, not everyone needs a Microsoft 365 Business subscription, although the security and management benefits are available only to those users with devices managed with a Microsoft 365 Business subscription.
-
-Standardizing an IT environment serves to help reduce maintenance and security costs over time and is a state that businesses should strive to attain. However, we recognize that some small and medium size customers update their software primarily when they upgrade their hardware, over an extended period. Businesses can deploy Microsoft 365 Business to part of their organization, but for best protection of sensitive business data and consistent collaboration experiences, deployment to all users is recommended.
-
-### How can I know if the hardware and software I run today is compatible with Microsoft 365 Business?
-If the hardware you run today runs Windows 7 Pro or later, it likely meets the minimum requirements for Microsoft 365 Business. Certain Windows 10 features such as Cortana, Windows Hello and multitouch require specific hardware that is only available on newer PCs. See the Windows 10 Pro system requirements for additional details.
-
-Existing desktop (Win32) application compatibility is strong in Windows 10, with most existing applications working without any changes. Customers and their trusted IT advisors should read the recommended application testing process for Windows 10 compatibility and review the Office system requirements to ensure a smooth transition to Microsoft 365 Business.
-
-### What is Windows 10 Business?
-Windows 10 Business is a set of cloud-services and device management capabilities that complement Windows 10 Pro and enable the centralized management and security controls of Microsoft 365 Business. Windows 10 Business also comes with Windows AutoPilot, a service that streamlines the deployment of new Windows 10 PCs. If you have devices that are licensed for Windows 7, 8 and 8.1 Professional, Microsoft 365 Business provides an upgrade to Windows 10 Pro which is the prerequisite for deploying Windows 10 Business.
-
-### How does Microsoft 365 Business help support our Bring Your Own Device (BYOD) policy?
-Many employees prefer to use their own mobile phones or tablets to access personal and work information rather than carrying multiple devices for each purpose. The use of personal devices for work, while commonplace, increases the risk that business information could end up in the wrong hands. Many competing mobile data protection solutions require users to switch to a specific mode on their device or use another complex mechanism that users may find intrusive and therefore avoid using.
-
-Microsoft 365 Business offers customers a simple but powerful means of enabling employees to use their personal devices for work while providing the business with the ability to prevent those devices from accessing, retaining and/or sharing business information. More specifically:
-* **App Protection for Office mobile apps** helps protect Office data, including email, calendar, contacts, and documents on iOS and Android mobile devices, by enforcing policies such as automatically deleting business data after a prescribed amount of time of not connecting to the service, requiring that information is stored only to OneDrive for Business, requiring a PIN/fingerprint verification to access Office apps, and preventing company data from being copied from an Office app into personal apps.
-* **Device Management for Windows 10 PCs** allows businesses to choose to set and enforce capabilities such as Windows Defender protection for malware, automatic updates, and turning off screens after a prescribed amount of time. In addition, lost or stolen Windows 10 devices can be completely wiped of business applications and data through the Admin center.
-
-### How does Microsoft 365 Business help protect PCs in my organization from malicious attacks?
-PCs managed with Microsoft 365 Business are protected with Windows Defender, which is the No. 1 antivirus feature on Windows 10, protecting more computers against viruses, malware, spyware, and other threats than any other solution. With Microsoft 365 Business, businesses can ensure Windows Defender protection is running and always up to date on all their Windows 10 devices
-
-### What's the difference between Office 365 Business Premium, Microsoft 365 Business and Microsoft 365 Enterprise?
-Microsoft has a variety of productivity and security management offerings that small to medium-sized customers may consider when upgrading their desktop and device infrastructure, each bringing increasingly powerful features and functionality.
-
-**Office 365 Business Premium** delivers best-in-class productivity with Office 365 apps and services but does not include the application protection and device management capabilities of Microsoft 365 Business.
-
-**Microsoft 365 Business** combines Office 365 apps and services with mobile application management and Windows 10 Pro to enable remote management and help protect devices against viruses and malware. It includes a simplified management console through which device and data policies may be administered. Many small to medium-sized businesses can be best served with Microsoft 365 Business, although those in highly regulated industries may require more advanced functionality provided by Microsoft 365 Enterprise plans (E3 and E5).
-
-**Microsoft 365 Enterprise** is a set of licensing plans that offer increased levels of mobility and security management over Microsoft 365 Business and are designed for enterprise customers and those customers that are required or regulated to provide the highest level of protection for their data. In addition, Microsoft 365 Business plans provide additional functionality including business intelligence and analytics tools.
-
-### Can I switch my Office 365 plan to Microsoft 365 Business?
-Yes, customers may switch their plans from a qualifying Office 365 plan to Microsoft 365 Business. Depending on the customer’s current plan there may be a decrease or increase in monthly charges.
-
-### In what regions is Microsoft 365 Business available?
-The Microsoft 365 Business will be available to all partners and customers where Office 365 is available. See the list of Office 365 international availability for languages, countries and regions.
-
-### Is there a Microsoft 365 Business trial I may use to evaluate the offer?
-A Microsoft 365 Business trial will be available later this year both for direct customers and for CSPs.
-
-### What should customers and partners know before running Microsoft 365 Business within their organization?
-Customers that wish to experience the complete capabilities of Microsoft 365 Business must be running Windows 7, 8.1 or 10 Pro[2](#footnote2) on their existing desktops. Customers who use on-premises Active Directory to enable login to PCs will switch devices over cloud identity and management as part of their deployment. Existing Windows 10 Pro PCs should be running Creators Update if they have not already done so.
-
-## Deployment
-
-### What should customers consider when planning a Microsoft 365 Business deployment?
-The most direct path to a successful Microsoft 365 Business deployment is to engage with a Microsoft Partner. They have extensive training and experience with a wide variety of customer scenarios and are best equipped to understand your environment and needs. Customers that have experienced IT on staff can use the Microsoft 365 Business Getting Started to assist them in their Microsoft 365 Business deployment.
-
-### Does Microsoft 365 Business include the full capabilities of Microsoft Intune?
-Microsoft 365 Business includes a robust set of mobile app management capabilities powered by Microsoft’s MDM solution (Microsoft Intune). These are a subset of features, specifically chosen to meet the needs of SMBs and organized to be easily managed via a simplified administration experience. If a company requires the full capabilities of Intune, they can purchase a qualifying plan separately.
-
-### Does Azure Active Directory P1 come with Microsoft 365 Business?
-Microsoft 365 Business is built on technology from across Microsoft and while it shares some features with Azure Active Directory, it is not a full version. The security and management policies created in Microsoft 365 Business rely on some Azure functionality but does not include all features (e.g. selfservice features, conditional access features, and reporting). Customers may choose to purchase Azure Active Directory Premium as an add-on to Microsoft 365 Business.
-
-### Does Microsoft 365 Business allow customers to manage Macs?
-The security and management capabilities of Microsoft 365 Business pertain to iOS and Android mobile and tablet devices, and Windows PCs.
-
-### What is Windows AutoPilot?
-Windows AutoPilot is a service that streamlines the deployment of new Windows 10 PCs. This process can be done when the end-user logs on to Microsoft 365 Business for the first time—without IT ever touching the device—by leveraging centralized management controls of Microsoft 365 Business. You can also use Windows AutoPilot for existing PCs that are running Windows 10 Professional Creators Update (or later) and have been factory reset. Details about Windows AutoPilot can be found in this June blog post.
-
-## Compatibility
-
-### Can I add Office 365 add-ons to Microsoft 365 Business?
-All the add-ons that can be added to Office 365 Business Premium can be added to Microsoft 365 Business. This means that you can purchase Advanced Threat Protection, Office 365 Cloud App Security, Advanced Compliance, Threat Intelligence, MyAnalytics, PowerBI Pro, and Audio Conferencing.
-
-### Can I add Phone System and Calling Plans to Microsoft 365 Business?
-No, Phone System and Calling Plan are reserved for customers who have more advanced needs. Customers who require these capabilities should look at Microsoft 365 Enterprise offerings.
-
-### Can Microsoft 365 Business customers use Windows Defender Advanced Threat Protection?
-No, customers that require Windows Defender Advanced Threat Protection need either Windows 10 Enterprise E5 or Microsoft 365 Enterprise E5.
-
-### Can I use Windows Information Protection with Microsoft 365 Business?
-Yes, Windows Information Protection (WIP) is a feature of Windows 10 Pro and helps businesses prevent accidental leaks by restricting user and app access to business files based on policies you define. Your business data is protected no matter where it lives on your devices—without affecting your user experience. Microsoft 365 Business includes controls to ensure Windows Information Protection is properly configured and automatically deployed to end-user devices.
-
-### Can customers use Microsoft 365 Business with on-premises Active Directory?
-To realize the full value of Windows 10, Windows 10 PCs need to be joined to Azure Active Directory. You may use Microsoft 365 Business with Windows 10 devices joined to on-premises Active Directory but it is not recommended because you won’t be able to enforce policies from the Microsoft 365 Business Admin console.
-
-### Can customers create hosted Windows 10 VMs with a Microsoft 365 Business subscription?
-No, customers that require virtualization should purchase Windows 10 Enterprise or a Microsoft 365 Enterprise subscription.
-
-## Partner opportunity
-
-### Where can I learn more about the opportunities and benefits in becoming a Microsoft Partner?
-IT service providers that are not already Microsoft partners can learn more about the Microsoft Cloud Solution Provider program at
-[https://partners.office.com/microsoft365business](https://partners.office.com/microsoft365business).
-
-### Where can I learn how to sell Microsoft 365 Business?
-Partners now selling Office 365 can use the same consultative selling methods to sell Microsoft 365 Business. In addition, we are introducing more resources and training for your sales team to understand the customers’ existing desktop environment, Active Directory reliance, mobility and security needs to effectively communicate the full value of Microsoft 365 Business in a way that is relevant to the customer. Find these resources on the Office Partner portal at [http://partners.office.com/microsoft365business](http://partners.office.com/microsoft365business).
-
-### How can Microsoft 365 Business help partners increase the profitability?
-Microsoft 365 Business will help partners reduce costs through greater operational efficiencies and enhance revenue through the sale of additional services. The Forrester Research, Microsoft 365 Business Total Economic Impact (TEI) Study, June 2017 (https://partners.office.com/TEIBusiness), demonstrates that Microsoft 365 Business will have positive impact on partner profitability.
-
-In the TEI study partners reported that with Microsoft 365 Business they expect:
-
-- 20%-point increase in \[one-time\] deployment and advisory services revenue
-- 10%-point increase in attach rate of managed services
-- 8%-point increase in consulting and \[ongoing\] managed services profit margins (from lower costs)
-
-### What resources are available to partners to sell, deploy and support Microsoft 365 Business?
-Microsoft provides a wide selection of resources for CSP partners to market, sell, and support Microsoft 365 Business. They can be found at
-[https://partners.office.com/microsoft365business](https://partners.office.com/microsoft365business).
-
-### What up-sell opportunities does Microsoft 365 Business give partners?
-Microsoft 365 Business allows partners to maintain their trusted advisor position with customers, by creating a solid and secure platform upon which to sell additional services and to upgrade existing products and services. Microsoft 365 Business provides an opportunity to have an upgrade discussion with customers now using Exchange Server, Exchange Online or Office 365 Business Essentials. Partners may also gain additional revenue from increased managed services and/or peruser support fees.
-
-With the new Windows AutoPilot feature included in Microsoft 365 Business, partners who have been reluctant to sell new Windows devices due to deployment logistics and costs will find this opportunity much more attractive. Customers who are confident in the security of their on-premise and mobile devices are also more likely to invest in additional services, such as Dynamics 365.
-
-### Should partners sell Microsoft 365 Business over other plans from Microsoft?
-A Microsoft Cloud Solution Provider should always sell the plan that best suits its customer business needs and budget. For example, if a customer must comply with privacy and security regulations, a CSP may sell Microsoft 365 Business plus any add-ons that help the customer meet its requirements or may suggest the advanced security and management provided by Microsoft 365 Business E SKUs.
-
-### Some of my customers have devices that are not genuine; will Microsoft 365 Business make these devices genuine?
-Microsoft 365 Business does not make an otherwise non-genuine version of Windows, genuine. Microsoft 365 Business does provide an upgrade benefit allowing those customers running genuine Windows 7, 8 or 8.1 Pro to upgrade to the most recent, genuine version of Windows 10 Pro.
-
-### What support is available to CSP partners for the Microsoft 365 Business Preview?
-The same support channels available to CSP partners today (premier support and advanced support program) have been trained on Microsoft 365 Business and are ready to provide partners with support.
-
-### What is the GDPR and how does Microsoft 365 Business help customers with their compliance obligations?
-The General Data Protection Regulation (GDPR) is a comprehensive new privacy law that gives residents of the European Union (EU) greater control over their “personal data” and requires organizations to maintain the integrity of that personal data. The GDPR requires organizations that control, or process personal data tied to EU residents to only use third-party data processors that meet the GDPR’s requirements for personal data processing. In March 2017, Microsoft made available contractual guarantees that provide these assurances. Customers that have questions about how Microsoft can help them meet their additional GDPR obligations should learn about the advanced compliance and security capabilities available as add-ons (e.g. Azure Information Protection) and in other Suites (e.g. Microsoft 365 Enterprise E5). To learn more, visit [www.microsoft.com/gdpr](https://www.microsoft.com/gdpr).
-
-
-
-
-## Footnotes
-**1** Available in US, UK, and Canada.
-**2** Devices running Windows 7 or 8.1 Pro are eligible for an upgrade to Windows 10 Pro within the Microsoft 365 Business preview.
-
-
-
-
diff --git a/bcs/support/transition-csp-subscription.md b/bcs/support/transition-csp-subscription.md
deleted file mode 100644
index 7c15aa33b6..0000000000
--- a/bcs/support/transition-csp-subscription.md
+++ /dev/null
@@ -1,103 +0,0 @@
----
-title: Transition a Microsoft 365 Business CSP subscription
-description: Find out how you can transition a Microsoft 365 Business CSP subscription from preview to GA.
-author: CelesteDG
-ms.author: celested
-ms.topic: article
-ms.prod: microsoft-365-business
-ms.localizationpriority: high
-audience: microsoft-business
-keywords: Microsoft 365 Business, Microsoft 365, SMB, transition CSP subscription
-ms.date: 11/01/2017
----
-
-# Transition a Microsoft 365 Business CSP subscription
-
-If you have a Microsoft 365 Business Preview CSP subscription, follow this guide to find out how you can transition your existing preview subscription to Microsoft 365 Business GA (general availability).
-
-**How to transition a preview subscription to GA**
-
-1. Log in to Partner Center.
-2. From the dashboard, select **Customers**, and then find and select the company name.
-
- The subscriptions for the company will be listed.
-
- 
-
-3. In the company's **Subscriptions** page, select **Add subscription**.
-4. In the **New subscription** page, select **Small business** and then select **Microsoft 365 Business** from the list.
-5. Add the number of licenses and then select **Next: Review** to review the subscription and then select **Submit**.
-
- 
-
- The **License-based subscriptions** will show **Microsoft 365 Business Preview** and **Microsoft 365 Business**. You'll need to suspend the Preview subscription next.
-
-6. Select **Microsoft 365 Business Preview**.
-7. In the **Microsoft 365 Business Preview** page, select **Suspended** to suspend the Preview subscription.
-
- 
-
-8. Select **Submit** to confirm.
-
- In the **Subscriptions** page, confirm that the **Microsoft 365 Business Preview** status shows **Suspended**.
-
- 
-
-9. Optionally, you can also validate the license agreement. To do this, follow these steps:
- 1. Select **Users and licenses** from the company's **Subscriptions** page.
- 2. From the **Users and licenses** page, select a user.
- 3. In the user's page, check the **Assign licenses** section and confirm that it shows **Microsoft 365 Business**.
-
- 
-
-## Impact to customers and users during and after transition
-
-There is no impact to customers and users during transition and post transition.
-
-## Impact to customers who don't transition
-
-The following table summarizes the impact to customers who don't transition from a Microsoft 365 Business Preview subscription to a Microsoft 365 Business subscription.
-
-| | T-0 to T+30 | T+30 to T+60 | T+60 to T+120 | Beyond T+120 |
-|-------|-----------------|--------------|---------------|---------------|
-| **State** | In grace period | Expired | Disabled | Deprovisioned |
-| **Service impacts** |
-| **Microsoft 365 Business admin portal** | No impact to functionality | No impact to functionality | Can add/delete users, purchase subscriptions. Cannot assign/revoke licenses. | Customer's subscription and all data is deleted. Admin can manage other paid subscriptions. |
-| **Office apps** | No end user impact | No end user impact | Office enters reduced functionality mode. Users can view files only. | Office enters reduced functionality mode. Users can view files only. |
-| **Cloud services (SharePoint Online, Exchange Online, Skype, Teams, and more)** | No end user impact | No end user impact | End users and admins have no access to data in the cloud. | Customer's subscription and all data are deleted. |
-| **EM+S components** | No admin impact No end user impact | No admin impact No end user impact | Capability will cease to be enforced. See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. | Capability will cease to be enforced. See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. |
-| **Windows 10 Business** | No admin impact No end user impact | No admin impact No end user impact | Capability will cease to be enforced. See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. | Capability will cease to be enforced. See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. |
-| **Azure AD login to a Windows 10 PC** | No admin impact No end user impact | No admin impact No end user impact | No admin impact No end user impact | Once the tenant is deleted, a user can log in with local credentials only. Re-image the device if there are no local credentials. |
-
-## Mobile device impacts upon subscription expiration
-
-The followint table summarizes the impact to the app management policies on mobile devices.
-
-| | Fully licensed experience | T+60 days post expiration |
-|----------------------------|------------------------------------------------|------------------------------------|
-| **Delete work files from an inactive device** | Work files are removed after selected days | Work files remain on the user's personal devices |
-| **Force users to save all work files to OneDrive for Business** | Work files can only be saved to OneDrive for Business | Work files can be saved anywhere |
-| **Encrypt work files** | Work files are encrypted | Work files are no longer encrypted. Security policies are removed and Office data on apps is removed. |
-| **Require PIN or fingerprint to access Office apps** | Restricted access to apps | No app-level access restriction |
-| **Reset PIN when login fails** | Restricted access to apps | No app-level access restriction |
-| **Require users to sign in again after Office apps have been idle** | Sign-in required | No sign-in required to access apps |
-| **Deny access to work files on jailbroken or rooted devices** | Work files cannot be accessed on jailbroken/rooted devices | Work files can be accessed on jailbroken/rooted devices |
-| **Allow users to copy content from Office apps to Personal apps** | Copy/paste restricted to apps available as part of Microsoft 365 Business subscription | Copy/paste available to all apps |
-
-## Windows 10 PC impacts upon subscription expiration
-
-The following table summarizes the impact to the Windows 10 device configuration policies.
-
-| | Fully licensed experience | T+60 days post expiration |
-|----------------------------|------------------------------------------------|------------------------------------|
-| **Help protect PCs from threats using Windows Defender** | Turn on/off is outside of user control | User may turn on/off Windows Defender on the Windows 10 PC |
-| **Help protect PCs from web-based threats in Microsoft Edge** | PC protection in Microsoft Edge | User may turn on/off PC protection in Microsoft Edge |
-| **Turn off device screen when idle** | Admin defines screen timeout interval policy | Screen timeout can be configured by end user |
-| **Allow users to download apps from Microsoft Store** | Admin defines if a user can download apps from Microsoft Store | User can download apps from Microsoft Store anytime |
-| **Allow users to access Cortana** | Admin defines policy on user access to Cortana | User devices to turn on/off Cortana |
-| **Allow users to receive tips and advertisements from Microsoft** | Admin defines policy on user receive tips and advertisements from Microsoft | User may turn on/off tips and advertisements from Microsoft |
-| **Allow users to copy content from Office apps into personal apps** | Admin defines policy to keep Windows 10 devices up-to-date | Users can decide when to update Windows |
-
-
-
-
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 6b4a3479c5..20d0866be8 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -8,13 +8,19 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 12/20/2017
+ms.date: 02/02/2018
---
# Change history for Microsoft HoloLens documentation
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
+## February 2018
+
+New or changed topic | Description
+--- | ---
+[Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | Replaced the instructions for upgrading to Windows Holographic for Business using Microsoft Intune with a link to the new Intune topic.
+
## December 2017
New or changed topic | Description
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index d85bb461aa..1e4fbc3f9e 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -7,7 +7,7 @@ ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 02/02/2018
---
# Unlock Windows Holographic for Business features
@@ -25,50 +25,12 @@ When you purchase the Commercial Suite, you receive a license that upgrades Wind
The enterprise license can be applied by any MDM provider that supports the [WindowsLicensing configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904983.aspx). The latest version of the Microsoft MDM API will support WindowsLicensing CSP.
+For step-by-step instructions for upgrading HoloLens using Microsoft Intune, see [Upgrade devices running Windows Holographic to Windows Holographic for Business](https://docs.microsoft.com/intune/holographic-upgrade).
-**Overview**
-
-1. Set up the edition upgrade policy.
-2. Deploy the policy.
-3. [Enroll the device through the Settings app](hololens-enroll-mdm.md).
-
-The procedures in this topic use Microsoft Intune as an example. On other MDM providers, the specific steps for setting up and deploying the policy might vary.
-
-### Set up the Edition Upgrade policy
-
-1. Sign into the Intune Dashboard with your Intune admin account.
-
-2. In the **Policy** workspace, select **Configuration Policies** and then **Add**.
-
- 
-
-3. In **Create a new policy**, select the **Edition Upgrade Policy (Windows 10 Holographic and later** template, and click **Create Policy**.
-
- 
-
-4. Enter a name for the policy.
-
-5. In the **Edition Upgrade** section, in **License File**, browse to and select the XML license file that was provided when you purchased the Commercial Suite.
-
- 
-
-5. Click **Save Policy**.
+ On other MDM providers, the specific steps for setting up and deploying the policy might vary.
-### Deploy the Edition Upgrade policy
-
-Next, you will assign the Edition Upgrade policy to selected groups.
-
-1. In the **Policy** workspace, select the Edition upgrade policy that you created, and then choose **Manage Deployment**.
-
-2. In the **Manage Deployment** dialog box, select one or more groups to which you want to deploy the policy, and then choose **Add** > **OK**.
-
-When these users enroll their devices in MDM, the Edition Upgrade policy will be applied.
-
-
-For more information about groups, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
-
## Edition upgrade using a provisioning package
Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device.
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 69c603b84d..beb434c374 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -31,6 +31,7 @@
#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
#### [Wireless network management](wireless-network-management-for-surface-hub.md)
### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
+### [Configure Surface Hub Start menu](surface-hub-start-menu.md)
### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md)
### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md)
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 60946feede..595a61e131 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 01/10/2018
+ms.date: 01/17/2018
ms.localizationpriority: medium
---
@@ -20,6 +20,7 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac
New or changed topic | Description
--- | ---
+[Configure Surface Hub Start menu](surface-hub-start-menu.md) | New
[PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | Added prerequisites for running the scripts
## November 2017
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index 01157f507c..61120d6a25 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -164,8 +164,8 @@ Users can sign in to Microsoft Edge to access intranet sites and online resource
*Organization policies that this may affect:*
-->
-### Telemetry
+### Diagnostic data
-The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit diagnostic data. For more information, see [Configure Windows diagnostic data in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-diagnostic-data-in-your-organization).
-*Organization policies that this may affect:* Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.
+*Organization policies that this may affect:* Configure diagnostic data levels for Surface Hub in the same way as you do for Windows 10 Enterprise.
diff --git a/devices/surface-hub/images/whats-new-video-thumbnail.PNG b/devices/surface-hub/images/whats-new-video-thumbnail.PNG
new file mode 100644
index 0000000000..44cbffcbb3
Binary files /dev/null and b/devices/surface-hub/images/whats-new-video-thumbnail.PNG differ
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 8449690b59..b0737d1f6b 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -164,6 +164,10 @@ There are a few different ways to install apps on your Surface Hub depending on
| Microsoft Store app | | X | |
| Supported MDM provider | | | X |
+## More information
+
+- [Blog post: Deploy Windows Store apps to Surface Hub using Intune](https://blogs.technet.microsoft.com/y0av/2018/01/18/7-2/)
+
## Related topics
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index de55967ca5..23eb0e418f 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub, mobility
author: jdeckerms
ms.author: jdecker
-ms.date: 11/29/2017
+ms.date: 01/17/2018
ms.localizationpriority: medium
---
@@ -185,7 +185,12 @@ The following tables include info on Windows 10 settings that have been validate
| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+#### Configure Start menu
+| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML*? |
+| --- | ---- | --- |---- | --- | --- |
+| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
### Generate OMA URIs for settings
You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index b0a1d8662e..612bdeb704 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 11/15/2017
+ms.date: 01/17/2018
ms.localizationpriority: medium
---
@@ -32,6 +32,7 @@ Learn about managing and updating Surface Hub.
| [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. |
| [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network |
| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.|
+[Configure Surface Hub Start menu](surface-hub-start-menu.md) | Use MDM to customize the Start menu for Surface Hub.
| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. |
| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
| [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS. |
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index d8ddba730e..7fe0d6aeff 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -86,7 +86,7 @@ This table describes the sample queries in the Surface Hub solution:
| Alert type | Impact | Recommended remediation | Details |
| ---------- | ------ | ----------------------- | ------- |
-| Software | Error | **Reboot the device**. Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx). Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions: - A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive. - The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the telemetry reporting system. |
+| Software | Error | **Reboot the device**. Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx). Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions: - A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive. - The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the diagnostic data reporting system. |
| Software | Error | **Check your Exchange service**. Verify: - The service is available. - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.| Triggers when there's an error syncing the device calendar with Exchange. |
| Software | Error | **Check your Skype for Business service**. Verify: - The service is available. - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details. - The domain name for Skype for Business is properly configured - see [Configure a domain name](use-fully-qualified-domain-name-surface-hub.md). | Triggers when Skype fails to sign in. |
| Software | Error | **Reset the device**. This takes some time, so you should take the device offline. For more information, see [Device reset](device-reset-surface-hub.md).| Triggers when there is an error cleaning up user and app data at the end of a session. When this operation repeatedly fails, the device is locked to protect user data. You must reset the device to continue. |
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index d649dc5dda..077e16a6a5 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -40,9 +40,9 @@ Depending on your environment, access to additional ports may be needed:
- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
- For on-premises installations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx).
-Microsoft collects telemetry to help improve your Surface Hub experience. Add these sites to your allow list:
-- Telemetry client endpoint: `https://vortex.data.microsoft.com/`
-- Telemetry settings endpoint: `https://settings.data.microsoft.com/`
+Microsoft collects diagnostic data to help improve your Surface Hub experience. Add these sites to your allow list:
+- Diagnostic data client endpoint: `https://vortex.data.microsoft.com/`
+- Diagnostic data settings endpoint: `https://settings.data.microsoft.com/`
### Proxy configuration
diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md
new file mode 100644
index 0000000000..0f3defa248
--- /dev/null
+++ b/devices/surface-hub/surface-hub-start-menu.md
@@ -0,0 +1,179 @@
+---
+title: Configure Surface Hub Start menu
+description: Use MDM to customize the Start menu on Surface Hub.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerms
+ms.author: jdecker
+ms.date: 01/17/2018
+ms.localizationpriority: medium
+---
+
+# Configure Surface Hub Start menu
+
+The [January 17, 2018 update to Windows 10](https://support.microsoft.com/help/4057144) (build 15063.877) enables customized Start menus on Surface Hub devices. You apply the customized Start menu layout using mobile device management (MDM).
+
+When you apply a customized Start menu layout to Surface Hub, users cannot pin, unpin, or uninstall apps from Start.
+
+## How to apply a customized Start menu to Surface Hub
+
+The customized Start menu is defined in a Start layout XML file. You have two options for creating your Start layout XML file:
+
+- Edit the [default Surface Hub Start XML](#default)
+
+ -or-
+
+- Configure the desired Start menu on a desktop (pinning only apps that are available on Surface Hub), and then [export the layout](https://docs.microsoft.com/windows/configuration/customize-and-export-start-layout#export-the-start-layout).
+
+>[!TIP]
+>To add a tile with a web link to your desktop start menu, go the the link in Microsoft Edge, select `...` in the top right corner, and select **Pin this page to Start**. See [a Start layout that includes a Microsoft Edge link](#edge) for an example of how links will appear in the XML.
+
+To edit the default XML or the exported layout, familiarize yourself with the [Start layout XML](https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop). There are a few [differences between Start layout on a deskop and a Surface Hub.](#differences)
+
+When you have your Start menu defined in a Start layout XML, [create an MDM policy to apply the layout.](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management#a-href-idbkmk-domaingpodeploymentacreate-a-policy-for-your-customized-start-layout)
+
+
+## Differences between Surface Hub and desktop Start menu
+
+There are a few key differences between Start menu customization for Surface Hub and a Windows 10 desktop:
+
+- You cannot use **DesktopApplicationTile** (https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop#startdesktopapplicationtile) in your Start layout XML because Windows desktop applications (Win32) are not supported on Surface Hub.
+- You cannot use the Start layout XML to configure the taskbar or the Welcome screen for Surface Hub.
+- Surface Hub supports a maximum of 6 columns (6 1x1 tiles), however, you **must** define `GroupCellWidth=8` even though Surface Hub will only display tiles in columns 0-5, not columns 6 and 7.
+- Surface Hub supports a maximum 6 rows (6 1x1 tiles)
+- `SecondaryTile`, which is used for links, will open the link in Microsoft Edge.
+
+
+
+## Example: Default Surface Hub Start layout
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+## Example: Start layout that includes a Microsoft Edge link
+
+This example shows a link to a website and a link to a .pdf file.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index bc149a2338..59ced8ff5d 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -7,7 +7,7 @@ ms.pagetype: devices
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
-ms.date: 07/27/2017
+ms.date: 01/18/2018
ms.localizationpriority: medium
---
@@ -15,11 +15,9 @@ ms.localizationpriority: medium
Watch Surface Hub engineer Jordan Marchese present updates to Microsoft Surface Hub with Windows 10, version 1703 (Creators Update).
-
+
-Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
+Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub.
## New settings
@@ -40,7 +38,7 @@ Settings have been added to mobile device management (MDM) and configuration ser
Plus settings based on the new [NetworkQoSPolicy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) and [NetworkProxy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/networkproxy-csp).
-## Provizioning wizard
+## Provisioning wizard
An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices, and includes bulk join to Azure Active Directory. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md)
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 71a5e73675..9b2ef8764a 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -524,7 +524,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
0x85002004
E_FAIL_ABORT
-
This error is used to interrupt the hanging sync, and will not be exposed to users. It will be shown in the telemetry if you force an interactive sync, delete the account, or update its settings.
+
This error is used to interrupt the hanging sync, and will not be exposed to users. It will be shown in the diagnostic data if you force an interactive sync, delete the account, or update its settings.
Nothing.
@@ -602,7 +602,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
## Related content
-- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)
+- [Troubleshooting Miracast connection to the Surface Hub](https://docs.microsoft.com/surface-hub/miracast-troubleshooting)
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 5dd7130ea6..778c88fa47 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,5 +1,6 @@
# [Surface](index.md)
## [Deploy Surface devices](deploy.md)
+### [Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md)
### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsc.md)
#### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index a18646b616..d115d86ecf 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-ms.date: 11/03/2017
+ms.date: 01/29/2018
---
# Change history for Surface documentation
@@ -16,6 +16,7 @@ This topic lists new and updated topics in the Surface documentation library.
|New or changed topic | Description |
| --- | --- |
+|[Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md) | New article |
|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.45 information |
|[Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC)](surface-device-compatibility-with-windows-10-ltsc.md) | Updated Current Branch (CB) or Current Branch for Business (CBB) servicing options with Semi-Annual Channel (SAC) information |
|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | Added Surface Book 2, Surface Laptop, Surface Pro, Surface Pro with LTE Advanced, and Surface Pro information |
diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md
index d76f67bec8..a52eef5395 100644
--- a/devices/surface/deploy.md
+++ b/devices/surface/deploy.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
-author: heatherpoulsen
-ms.date: 04/11/2017
+author: brecords
+ms.date: 01/29/2018
+ms.author: jdecker
---
# Deploy Surface devices
@@ -17,7 +18,8 @@ Get deployment guidance for your Surface devices including information about MDT
| Topic | Description |
| --- | --- |
-| [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition. |
+| [Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md) | Find out how to remotely deploy and configure devices with Windows AutoPilot. |
+| [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSC edition. |
| [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
| [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
| [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
new file mode 100644
index 0000000000..d4599d8ffd
--- /dev/null
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -0,0 +1,51 @@
+---
+title: Windows AutoPilot and Surface Devices (Surface)
+description: Find out about Windows AutoPilot deployment options for Surface devices.
+keywords: autopilot, windows 10, surface, deployment
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: brecords
+ms.date: 01/31/2018
+ms.author: jdecker
+---
+
+# Windows AutoPilot and Surface devices
+
+Windows AutoPilot is a cloud-based deployment technology available in Windows 10. Using Windows AutoPilot, you can remotely deploy and configure devices in a truly zero-touch process right out of the box. Windows AutoPilot registered devices are identified over the internet at first boot using a unique device signature, known as the hardware hash, and automatically enrolled and configured using modern management solutions such as Azure Active Directory (AAD) and Mobile Device Management (MDM).
+
+With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows AutoPilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process can eliminate need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution.
+
+In this article learn how to enroll your Surface devices in Windows AutoPilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows AutoPilot with other devices, or to read more about Windows AutoPilot and its capabilities, see [Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library.
+
+## Prerequisites
+Enrollment of Surface devices in Windows AutoPilot with a Surface partner enabled for Windows AutoPilot has the following licensing requirements for each enrolled Surface device:
+* **Azure Active Directory Premium** – Required to enroll your devices in your organization and to automatically enroll devices in your organization’s mobile management solution.
+* **Mobile Device Management (such as Microsoft Intune)** – Required to remotely deploy applications, configure, and manage your enrolled devices.
+* **Office 365 ProPlus** – Required to deploy Microsoft Office to your enrolled devices.
+
+These requirements are also met by the following solutions:
+* Microsoft 365 E3 or E5 (includes Azure Active Directory Premium, Microsoft Intune, and Office 365 ProPlus)
+
+Or
+* Enterprise Mobility + Security E3 or E5 (includes Azure Active Directory Premium and Microsoft Intune)
+* Office 365 ProPlus, E3, or E5 (includes Office 365 ProPlus)
+
+>[!NOTE]
+>Deployment of devices using Windows AutoPilot to complete the Out-of-Box Experience (OOBE) is supported without these prerequisites, however will yield deployed devices without applications, configuration, or enrollment in a management solution and is highly discouraged.
+
+### Windows version considerations
+Support for broad deployments of Surface devices using Windows AutoPilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update). Windows 10 Version 1709 uses a secure 4096-bit (4k) hash value to uniquely identify devices for Windows AutoPilot that is necessary for deployments at scale.
+
+### Surface device support
+Surface devices with support for out-of-box deployment with Windows AutoPilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709:
+* Surface Pro (Model 1796)
+* Surface Book 2
+* Surface Laptop
+* Surface Studio
+
+## Surface partners enabled for Windows AutoPilot
+Enrolling Surface devices in Windows AutoPilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows AutoPilot, Azure Active Directory, and Mobile Device Management.
+
+You can find a list of Surface partners enabled for Windows AutoPilot at the [Windows AutoPilot for Surface portal](https://www.microsoft.com/en-us/itpro/surface/windows-autopilot-for-surface).
\ No newline at end of file
diff --git a/education/get-started/images/03bfe22a-469b-4b73-ab8d-af5aaac8ff89.png b/education/get-started/images/03bfe22a-469b-4b73-ab8d-af5aaac8ff89.png
new file mode 100644
index 0000000000..82aeef7c40
Binary files /dev/null and b/education/get-started/images/03bfe22a-469b-4b73-ab8d-af5aaac8ff89.png differ
diff --git a/education/get-started/images/how-to-deploy-SDS-using-CSV-files-2a.PNG b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-2a.PNG
new file mode 100644
index 0000000000..1dcae48622
Binary files /dev/null and b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-2a.PNG differ
diff --git a/education/get-started/images/how-to-deploy-SDS-using-CSV-files-3.PNG b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-3.PNG
new file mode 100644
index 0000000000..b366d25c4e
Binary files /dev/null and b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-3.PNG differ
diff --git a/education/get-started/images/how-to-deploy-SDS-using-CSV-files-4.PNG b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-4.PNG
new file mode 100644
index 0000000000..60f4857c8e
Binary files /dev/null and b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-4.PNG differ
diff --git a/education/get-started/images/how-to-deploy-SDS-using-CSV-files-5.PNG b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-5.PNG
new file mode 100644
index 0000000000..56cd93787e
Binary files /dev/null and b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-5.PNG differ
diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md
index 2427878df1..3fcbd5064e 100644
--- a/education/get-started/set-up-office365-edu-tenant.md
+++ b/education/get-started/set-up-office365-edu-tenant.md
@@ -23,7 +23,7 @@ Schools can use Office 365 to save time and be more productive. Built with power
Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
-
+
You can watch the descriptive audio version here: [Microsoft Education: Set up an Office 365 Education tenant (DA)](https://www.youtube.com/watch?v=d5tQ8KoB3ic)
diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md
index 4b8fdf410f..a370bb71b8 100644
--- a/education/get-started/use-school-data-sync.md
+++ b/education/get-started/use-school-data-sync.md
@@ -10,7 +10,7 @@ ms.localizationpriority: high
ms.pagetype: edu
author: CelesteDG
ms.author: celested
-ms.date: 10/09/2017
+ms.date: 07/10/2017
---
# Use School Data Sync to import student data
@@ -25,11 +25,10 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial
You can watch the video to see how this is done, or follow the step-by-step guide.
-
+
You can watch the descriptive audio version here: [Microsoft Education: Use School Data Sync to import student data (DA)](https://www.youtube.com/watch?v=l4b086IMtvc)
-
## Download sample school data
1. Go to the O365-EDU-Tools GitHub site.
@@ -56,89 +55,83 @@ To learn more about the CSV files that are required and the info you need to inc
## Use SDS to import student data
-1. If you haven't done so already, go to the SDS portal, https://sds.microsoft.com.
-2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
+1. If you haven't done so already, go to the SDS portal, https://sds.microsoft.com.
+2. Click Sign in. Then enter your O365 Global Admin account credentials.
+3. After logging in, click **+ Add Profile** in the left hand navigation pane to create a Sync Profile.. This opens up the new profile setup wizard within the main page.
- **Figure 3** - Settings for managing SDS
+ **Figure 3** - New SDS profile setup wizard
+
+ 
- 
+4. For the new profile, in the **How do you want to connect to your school?** screen:
+
+ 1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
+ 2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
+ 3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.
+ 4. Click **Start**.
-3. Turn on **School Data Sync**. You will get a notification that it is turned on. Click **OK**.
+5. In the **Sync options** screen:
- New menu options will appear on the left of the SDS portal.
-
- **Figure 4** - New menu options appear after SDS is turned on
-
- 
-
-4. Click **+ Add Profile** from the sync dashboard or from the menu on the left to start syncing school data.
-
- This opens up the new profile setup wizard within the main page.
-
- **Figure 5** - New SDS profile setup wizard
-
- 
-
-5. For the new profile, in the **How do you want to connect to your school?** screen:
- 1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
- 2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
- 3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.
- 4. Click **Start**.
-
-6. In the **Sync options** screen:
1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
- 2. In the **Import data** section:
- 1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
- 2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
- 3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
- 4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
+ 2. In the **Import data** section, click **Upload Files** to bring up the **Select data files to be uploaded** window.
+ 3. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
+ 4. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
+ 5. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
- > [!NOTE]
- > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
+ > [!NOTE]
+ > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
- 5. After all the files are successfully uploaded, click **OK**.
-
- 3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
- 4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
- 5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
- 6. In the **Student enrollment option** section:
+ 6. After all the files are successfully uploaded, click **OK**.
+ 7. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
+ 8. In the Replace Unsupported Special Characters section, checking this box will allow SDS to automatically replace unsupported special characters while the sync is running. Special characters will be replaced with an "_", and no longer result in an error during the sync process for that object.
+ 9. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
+ 10. In the **Student enrollment option** section:
* If you want to sync your student roster data immediately, leave the box unchecked.
* If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.
- 7. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
- 8. Click **Next**.
+ 11. In the Default Term Dates section, You can set default start and end dates for Section terms. These dates will only be used if you do not provide these dates in your CSV files. If you upload files with Section start and end dates, you will be asked to select the format of the dates provided. If the format that you enter does not match the format of start and end dates in your files, you will receive an error message and need to edit the date format so that it matches the format in your files.
+ 12. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
+ 13. Click **Next**.
- **Figure 6** - Sync options for the new profile
+ **Figure 4** - Sync options for the new profile
- 
+ 
+
+6. In the **Teacher options** screen:
-7. In the **Teacher options** screen:
1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
+ * Primary Key (Source Directory) - This is the Teacher attribute in the CSV file used for SDS Identity Matching. Watch the Identity Matching video for additional information on how to select the appropriate source directory attribute, and properly configure the identity matching settings for teacher.
+ * Primary Key (Target Directory) - This is the User attribute in Azure AD used for SDS Identity Matching. Watch the Identity Matching video for additional information on how to select the appropriate target directory attribute, and properly configure the identity matching settings for the teacher.
+ * Domain (optional) - This is an optional domain value that you can add to the selected Source Directory attribute to complete your Teacher Identity Matching. If you need to match to a UserPrincipalName or Mail attribute, you must have a domain included in the string. Your source attribute must either include the domain already or you can append the appropriate domain to the source attribute using this dropdown menu.
+
2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
- 3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For example, **STANDARDWOFFPACK_FACULTY**.
+
+ 3. In the **License assignment** section, choose the SKU to assign licenses for teachers.
+
4. Click **Next**.
- **Figure 7** - Specify options for teacher mapping
+ **Figure 5** - Specify options for teacher mapping
- 
+ 
+
+7. In the **Student options** screen:
-8. In the **Student options** screen:
1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
- 3. In the **Student licenses** section, choose the SKU to assign licenses for students. For example, **STANDARDWOFFPACK_STUDENT**.
+ 3. In the **License assignment** section, choose the SKU to assign licenses for students.
4. Click **Next**.
- **Figure 8** - Specify options for student mapping
+ **Figure 6** - Specify options for student mapping
- 
+ 
-9. In the profile **Review** page, review the summary and confirm that the options selected are correct.
-10. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile.
+8. In the profile **Review** page, review the summary and confirm that the options selected are correct.
+9. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile.
- **Figure 9** - SDS profile page
+ **Figure 7** - SDS profile page
+
+ 
- 
-
-11. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
+10. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
* Stage 1 - Validating data
* Stage 2 - Processing schools and sections
* Stage 3 - Processing students and teachers
@@ -153,15 +146,15 @@ To learn more about the CSV files that are required and the info you need to inc
Here are some examples of what the sync status can look like:
- **Figure 10** - New profile: Sync in progress
+ **Figure 8** - New profile: Sync in progress
- **Figure 11** - New profile: Sync complete - no errors
+ **Figure 9** - New profile: Sync complete - no errors
- **Figure 12** - New profile: Sync complete - with errors
+ **Figure 10** - New profile: Sync complete - with errors
@@ -171,14 +164,9 @@ To learn more about the CSV files that are required and the info you need to inc
That's it for importing sample school data using SDS.
-
-
> [!div class="step-by-step"]
[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
## Related topic
-[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index f448a10be8..1f647b7dbb 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -23,7 +23,7 @@ ms.date: 01/12/2017
| | |
| :---: |:--- |
| [](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
-| [](#edu-task2) | **Interested in drastically improving your students' reading speed and comprehension?[1](#footnote1)** Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
+| [](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)** Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
| [](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
| [](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** Open [OneNote](#edu-task4) and create an example group project for your class. |
| [](#edu-task5) | **Want to teach kids to further collaborate and problem solve?** Play with [Minecraft: Education Edition](#edu-task5) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
@@ -46,7 +46,7 @@ To try out the educator tasks, start by logging in as a teacher.
-## 2. Drastically improve student reading speed and comprehension
+## 2. Significantly improve student reading speed and comprehension
+Welcome to Microsoft Education Trial in a Box. We built this trial to make it easy to try our latest classroom technologies. We have two scenarios for you to try: one for educators and one for IT. We recommend starting with Educators. To begin, click **Get started** below.
+
|  |  |
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index 16d82f2bc5..29f0a0de6c 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -25,7 +25,7 @@ ms.date: 12/11/2017
| [](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
| [](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
| [](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
-| [](#it-task4) | [Buy apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
+| [](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
| [](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
| | |
@@ -115,12 +115,12 @@ If you've previously used Set up School PCs to provision student devices, you ca
8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision.
- 
+ 
The recommended apps include the following:
- * **Office 365 for Windows 10 S (Education Preview)** - This is optional, but works well for the Trial in a Box PCs. If you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store.
- * **Minecraft: Education Edition** - Don't select this. This is already provisioned as part of your tenant.
- * **Other apps fit for the classroom** - Optional. Choose other recommended apps to install on the PC.
+ * **Office 365 for Windows 10 S (Education Preview)** - Optional. This works well for the Trial in a Box PCs running Windows 10 S. However, if you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store.
+ * **Minecraft: Education Edition** - This is pre-provisioned in your tenant's app catalog, but it's not yet installed on a device. Select this option now to include it in the provisioning package.
+ * **Other apps fit for the classroom** - Optional. You can choose other recommended apps to install on the PC.
9. **Review package summary**.
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 0deb4b8fbc..3999707536 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -292,7 +292,7 @@ The Set up School PCs app produces a specialized provisioning package that makes
Interactive logon: Sign-in last interactive user automatically after a system-initiated restart
Disabled
-
Shutdown: Allow system to be shut down without having to log on
Disabled
+
Shutdown: Allow system to be shut down without having to log on
Enabled
User Account Control: Behavior of the elevation prompt for standard users
Auto deny
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 8a1a4c3068..21ac36db3c 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -110,7 +110,7 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the
- Install the app on your work PC and make sure you're connected to your school's network.
- You must have Office 365 and Azure Active Directory.
- You must have the Microsoft Store for Education configured.
-- You must be a global admin, store admin, or purchaser in the Microsoft Store for Education.
+- You must be a global admin in the Microsoft Store for Education.
- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app.
- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office.
diff --git a/microsoft-365/TOC.md b/microsoft-365/TOC.md
deleted file mode 100644
index 06913f7aef..0000000000
--- a/microsoft-365/TOC.md
+++ /dev/null
@@ -1 +0,0 @@
-# [Index](index.md)
\ No newline at end of file
diff --git a/microsoft-365/docfx.json b/microsoft-365/docfx.json
deleted file mode 100644
index 585130e915..0000000000
--- a/microsoft-365/docfx.json
+++ /dev/null
@@ -1,37 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {},
- "fileMetadata": {},
- "template": [],
- "dest": "microsoft-365"
- }
-}
\ No newline at end of file
diff --git a/microsoft-365/images/M365-education.svg b/microsoft-365/images/M365-education.svg
deleted file mode 100644
index 7f83629296..0000000000
--- a/microsoft-365/images/M365-education.svg
+++ /dev/null
@@ -1,171 +0,0 @@
-
diff --git a/microsoft-365/index.md b/microsoft-365/index.md
deleted file mode 100644
index 9249c650ec..0000000000
--- a/microsoft-365/index.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-layout: HubPage
-hide_bc: true
-author: CelesteDG
-ms.author: celested
-ms.topic: hub-page
-keywords: Microsoft 365, Microsoft 365 documentation, Microsoft 365 for business, Microsoft 365 for enterprise, Microsoft 365 for education, enterprise, business, education, docs, documentation
-title: Microsoft 365 Documentation
-description: Find documentation and resources for Microsoft 365--a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
-ms.date: 09/25/2017
----
-
-
-
Microsoft 365 Documentation
-
-
-
-
-
-
-
-
[Microsoft 365](https://www.microsoft.com/microsoft-365/default.aspx) is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
-
\ No newline at end of file
diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md
index 43f7ab7345..63f52ca1ce 100644
--- a/store-for-business/education/TOC.md
+++ b/store-for-business/education/TOC.md
@@ -14,7 +14,7 @@
## [Get Minecraft: Education Edition](/education/windows/get-minecraft-for-education?toc=/microsoft-store/education/toc.json)
### [For teachers: get Minecraft Education Edition](/education/windows/teacher-get-minecraft?toc=/microsoft-store/education/toc.json)
### [For IT administrators: get Minecraft Education Edition](/education/windows/school-get-minecraft?toc=/microsoft-store/education/toc.json)
-### [Get Minecraft: Education Edition with Windows 10 device promotion](/education/windows/get-minecraft-for-education?toc=/microsoft-store/education/toc.json)
+### [Get Minecraft: Education Edition with Windows 10 device promotion](/education/windows/get-minecraft-device-promotion?toc=/microsoft-store/education/toc.json)
## [Distribute apps to your employees from the Microsoft Store for Business and Education](/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store?toc=/microsoft-store/education/toc.json)
### [Assign apps to employees](/microsoft-store/assign-apps-to-employees?toc=/microsoft-store/education/toc.json)
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 6380c8eee4..53ac6bd262 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -30,7 +30,7 @@ Organizations or schools of any size can benefit from using Microsoft Store for
- **Microsoft Store for Education** – Apps and subscriptions
- **Office 365** – Subscriptions
- **Volume licensing** - Apps purchased with volume licensing
-- **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices.
+- **Private store** - Create a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices.
- **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
- Distribute through Microsoft Store services. You can assign apps to individual employees, or make apps available to all employees in your private store.
- Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 38af4a8e01..80d4cc6d6c 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -11,7 +11,7 @@ ms.date: 1/8/2018
# What's new in Microsoft Store for Business and Education
-Microsoft Store for Business and Education regularly releases new and improved feaures.
+Microsoft Store for Business and Education regularly releases new and improved features.
## Latest updates for Store for Business and Education
diff --git a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md
index 1f5c6f440f..9efe9705c4 100644
--- a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -79,7 +79,7 @@ Add the number of authentications for each domain controller for the median time
Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller is to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business.
## Monitoring Authentication
-Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Busines clients. This gives you a baseline for your environment to where you can form a statement such as
+Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment to where you can form a statement such as
```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."```
diff --git a/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 6dac872525..e33c9a15e7 100644
--- a/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -50,22 +50,18 @@ We’ve been working with the device manufacturers to help ensure a high-level o
- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
### Fingerprint sensor requirements
-To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional).
+To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required).
**Acceptable performance range for small to large size touch sensors**
- False Accept Rate (FAR): <0.001 – 0.002%
-- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
-
- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
**Acceptable performance range for swipe sensors**
- False Accept Rate (FAR): <0.002%
-- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
-
- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
### Facial recognition sensors
diff --git a/windows/access-protection/hello-for-business/hello-features.md b/windows/access-protection/hello-for-business/hello-features.md
index e89b3407a1..5c6fcc07d2 100644
--- a/windows/access-protection/hello-for-business/hello-features.md
+++ b/windows/access-protection/hello-for-business/hello-features.md
@@ -73,7 +73,7 @@ For this policy setting, the **type** and **scenario** attribute values are stat
|Health|2304|
|Uncategorized|7936|
-The **rssiMin** attribute value signal strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.
+The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 844f97af64..57a3df8925 100644
--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -41,7 +41,7 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/)
-## Configure Active Directory to support Azure device syncrhonization
+## Configure Active Directory to support Azure device synchronization
Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema
diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
index 69eef88788..de508ef8d7 100644
--- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
@@ -317,4 +317,3 @@ If you want to use Windows Hello for Business with certificates, you’ll need a
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 6a71c9879d..44c95475c0 100644
--- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -82,5 +82,3 @@ If you only had a biometric sign-in configured and, for any reason, were unable
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=hello-why-pin-is-better-than-password.md).
\ No newline at end of file
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 215e71f9f0..521038e82e 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -8,7 +8,7 @@ ms.pagetype: mobile
ms.author: elizapo
author: lizap
ms.localizationpriority: low
-ms.date: 09/15/2017
+ms.date: 01/24/2018
---
# Understand the different apps included in Windows 10
@@ -23,7 +23,7 @@ Digging into the Windows apps, there are two categories:
- Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in.
- Installed: Installed as part of the OS.
-The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1511, 1607, and 1703, and indicate whether an app can be uninstalled through the UI.
+The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI.
Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
@@ -31,123 +31,116 @@ Some of the apps show up in multiple tables - that's because their status change
> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet:
> ```powershell
> Get-AppxPackage |Select Name,PackageFamilyName
-> Get-AppsProvisionedPackage -Online | select DisplayName,PackageName
+> Get-AppxProvisionedPackage -Online | select DisplayName,PackageName
> ```
## System apps
-System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1511, 1607, and 1703.
+System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1607, 1703, and 1709.
-| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? |
-|------------------|-------------------------------------------|------|------|------|--------------------------------------------------------|
-| Cortana UI | CortanaListenUIApp | | | x | No |
-| | Desktop Learning | | | x | No |
-| | DesktopView | | | x | No |
-| | EnvironmentsApp | | | x | No |
-| Mixed Reality + | HoloCamera | | | x | No |
-| Mixed Reality + | HoloItemPlayerApp | | | x | No |
-| Mixed Reality + | HoloShell | | | x | No |
-| | Microsoft.AAD.Broker.Plugin | x | x | x | No |
-| | Microsoft.AccountsControl | x | x | x | No |
-| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No |
-| | Microsoft.CredDialogHost | | | x | No |
-| | Microsoft.LockApp | x | x | x | No |
-| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x | No |
-| | Microsoft.PPIProjection | | x | x | No |
-| | Microsoft.Windows. Apprep.ChxApp | | x | x | No |
-| | Microsoft.Windows. AssignedAccessLockApp | x | x | x | No |
-| | Microsoft.Windows. CloudExperienceHost | x | x | x | No |
-| | Microsoft.Windows. ContentDeliveryManager | x | x | x | No |
-| Cortana | Microsoft.Windows.Cortana | x | x | x | No |
-| | Microsoft.Windows. Holographic.FirstRun | | | x | No |
-| | Microsoft.Windows. ModalSharePickerHost | | | x | No |
-| | Microsoft.Windows. OOBENetworkCaptivePort | | | x | No |
-| | Microsoft.Windows. OOBENetworkConnection | | | x | No |
-| | Microsoft.Windows. ParentalControls | x | x | x | No |
-| | Microsoft.Windows. SecHealthUI | | | x | No |
-| | Microsoft.Windows. SecondaryTileExperience | x | x | x | No |
-| | Microsoft.Windows. SecureAssessmentBrowser | | x | x | No |
-| Start | Microsoft.Windows. ShellExperienceHost | x | x | x | No |
-| Windows Feedback | Microsoft.WindowsFeedback | x | * | * | No |
-| | Microsoft.XboxGameCallableUI | x | x | x | No |
-| Xbox logon UI | Microsoft.XboxIdentityProvider | x | | | No |
-| Contact Support | Windows.ContactSupport | x | x* | x* | In 1511, no.* |
-| | Windows.Devicesflow | x | | | No |
-| Settings | Windows.ImmersiveControlPanel | x | x | x | No |
-| Connect | Windows.MiracastView | x | x | x | No |
-| Print UI | Windows.PrintDialog | x | x | x | No |
-| Purchase UI | Windows.PurchaseDialog | x | | | No |
+| Name | Full name | 1607 | 1703 | 1709 |Uninstall through UI? |
+|------------------|-------------------------------------------|------|------|------|-------------------------------------------------------|
+| Cortana UI | CortanaListenUIApp | | x | | No |
+| | Desktop Learning | | x | | No |
+| | DesktopView | | x | | No |
+| | EnvironmentsApp | | x | | No |
+| Mixed Reality + | HoloCamera | | x | | No |
+| Mixed Reality + | HoloItemPlayerApp | | x | | No |
+| Mixed Reality + | HoloShell | | x | | No |
+| | InputApp | | | x | No |
+| | Microsoft.AAD.Broker.Plugin | x | x | x | No |
+| | Microsoft.AccountsControl | x | x | x | No |
+| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No |
+| | Microsoft.CredDialogHost | | x | x | No |
+| | Microsoft.ECApp | | | x | No |
+| | Microsoft.LockApp | x | x | x | No |
+| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x | No |
+| | Microsoft.PPIProjection | x | x | x | No |
+| | Microsoft.Windows. Apprep.ChxApp | x | x | x | No |
+| | Microsoft.Windows. AssignedAccessLockApp | x | x | x | No |
+| | Microsoft.Windows. CloudExperienceHost | x | x | x | No |
+| | Microsoft.Windows. ContentDeliveryManager | x | x | x | No |
+| Cortana | Microsoft.Windows.Cortana | x | x | x | No |
+| | Microsoft.Windows. Holographic.FirstRun | | x | x | No |
+| | Microsoft.Windows. ModalSharePickerHost | | x | | No |
+| | Microsoft.Windows. OOBENetworkCaptivePort | | x | x | No |
+| | Microsoft.Windows. OOBENetworkConnectionFlow | | x | x | No |
+| | Microsoft.Windows. ParentalControls | x | x | x | No |
+| People Hub | Microsoft.Windows. PeopleExperienceHost | | | x | No |
+| | Microsoft.Windows. PinningConfirmationDialog | | | x | No |
+| | Microsoft.Windows. SecHealthUI | | x | x | No |
+| | Microsoft.Windows. SecondaryTileExperience | x | x | x | No |
+| | Microsoft.Windows. SecureAssessmentBrowser | | x | x | No |
+| Start | Microsoft.Windows. ShellExperienceHost | x | x | x | No |
+| Windows Feedback | Microsoft.WindowsFeedback | * | * | * | No |
+| | Microsoft.XboxGameCallableUI | x | x | x | No |
+| Contact Support* | Windows.ContactSupport | x | x | * | Through the Optional Features app |
+| Settings | Windows.ImmersiveControlPanel | x | x | x | No |
+| Connect | Windows.MiracastView | x | x | | No |
+| Print 3D | Windows.Print3D | | | x | Yes |
+| Print UI | Windows.PrintDialog | x | x | x | No |
> [!NOTE]
-> - The Windows Feedback app changed to the Windows Feedback Hub in version 1607. It's listed in the installed apps table below.
+> - The Windows Feedback app changed to the Feedback Hub in version 1607. It's listed in the provisioned apps table below.
+> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
> - As of Windows 10 version 1607, you can use the Optional Features app to uninstall the Contact Support app.
## Installed Windows apps
-Here are the typical installed Windows apps in Windows 10 versions 1511, 1607, and 1703.
+Here are the typical installed Windows apps in Windows 10 versions 1607, 1703, and 1709.
+
+| Name | Full name | 1607 | 1703 | 1709 |Uninstall through UI? |
+|--------------------|-----------------------------------------|------|------|------|----------------------|
+| Remote Desktop | Microsoft.RemoteDesktop | x | x | x | Yes |
+| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | x | | Yes |
+| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes |
+| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes |
+| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes |
+| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes |
+| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | | x | x | Yes |
+| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes |
+| Paid Wi-FI | | | x | | Yes |
-| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? |
-|--------------------|-----------------------------------------|------|------|------|---------------------------|
-| Remote Desktop | Microsoft.RemoteDesktop | | x | x | Yes |
-| PowerBI | Microsoft.Microsoft PowerBIforWindows | | x | x | Yes |
-| Candy Crush | king.com.CandyCrushSodaSaga | x | | | Yes |
-| Code Writer | ActiproSoftwareLLC.562882FEEB491 | | x | x | Yes |
-| Eclipse Manager | 46928bounde.EclipseManager | | x | x | Yes |
-| Pandora | PandoraMediaInc.29680B314EFC2 | | x | x | Yes |
-| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | | x | x | Yes |
-| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | | | x | Yes |
-| Network Speed Test | Microsoft.NetworkSpeedTest | | x | x | Yes |
-| Paid Wi-FI | | x | | | Yes |
-| Skype Video | | x | | | Yes |
-| Twitter | | x | | | Yes |
-| PicArts | | x | | | Yes |
-| Minecraft | | x | | | Yes |
-| Flipboard | | x | | | Yes |
## Provisioned Windows apps
-Here are the typical provisioned Windows apps in Windows 10 versions 1511, 1607, and 1703.
+Here are the typical provisioned Windows apps in Windows 10 versions 1607, 1703, and 1709.
-| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? |
-|---------------------------------|----------------------------------------|------|------|------|---------------------------|
-| 3D Builder | Microsoft.3DBuilder | x | | x | Yes |
-| App Connector | Microsoft.Appconnector | x | | | Yes, through Settings app |
-| Money | Microsoft.BingFinance | x | | | Yes |
-| News | Microsoft.BingNews | x | * | * | Yes |
-| Sports | Microsoft.BingSports | x | | | Yes |
-| Weather | Microsoft.BingWeather | x | x | x | No |
-| Phone Companion | Microsoft.CommsPhone | x | | | Yes |
-| | Microsoft.ConnectivityStore | x | | | No |
-| | Microsoft.DesktopAppInstaller | | x | x | Yes, through Settings app |
-| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes |
-| Messaging | Microsoft.Messaging | x | x | x | No |
-| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | | | x | No |
-| Get Office | Microsoft.MicrosoftOfficeHub | x | x | x | Yes |
-| Solitaire | Microsoft.Microsoft SolitaireCollection | x | x | x | Yes |
-| Sticky Notes | Microsoft.MicrosoftStickyNotes | | x | x | No |
-| OneNote | Microsoft.Office.OneNote | x | x | x | No |
-| Sway | Microsoft.Office.Sway | x | * | * | Yes |
-| | Microsoft.OneConnect | | x | x | No |
-| Paint 3D | Microsoft.MSPaint | | | x | No |
-| People | Microsoft.People | x | x | x | No |
-| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes |
-| | Microsoft.StorePurchaseApp | | x | x | No |
-| | Microsoft.Wallet | | | x | No |
-| Photos | Microsoft.Windows.Photos | x | x | x | No |
-| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No |
-| Calculator | Microsoft.WindowsCalculator | x | x | x | No |
-| Camera | Microsoft.WindowsCamera | x | x | x | No |
-| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No |
-| Feedback Hub | Microsoft.WindowsFeedbackHub | * | x | x | Yes |
-| Maps | Microsoft.WindowsMaps | x | x | x | No |
-| Phone | Microsoft.WindowsPhone | x | | | No |
-| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No |
-| Store | Microsoft.WindowsStore | x | x | x | No |
-| Xbox | Microsoft.XboxApp | x | x | x | No |
-| | Microsoft.XboxGameOverlay | | | x | No |
-| | Microsoft.XboxIdentityProvider | * | x | x | No |
-| Groove | Microsoft.ZuneMusic | x | x | x | No |
-| Movies & TV | Microsoft.ZuneVideo | x | x | x | No |
-| | Microsoft.XboxSpeech ToTextOverlay | | | x | No |
+| Name | Full name | 1607 | 1703 | 1709 | Uninstall through UI? |
+|---------------------------------|----------------------------------------|------|------|------|---------------------|
+| 3D Builder | Microsoft.3DBuilder | | x | | Yes |
+| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No |
+| App Installer | Microsoft.DesktopAppInstaller | x | x | x | No |
+| Calculator | Microsoft.WindowsCalculator | x | x | x | No |
+| Camera | Microsoft.WindowsCamera | x | x | x | No |
+| Feedback Hub | Microsoft.WindowsFeedbackHub | x | x | x | Yes |
+| Get Help | Microsoft.GetHelp | | | x | No |
+| Get Office/My Office | Microsoft.Microsoft OfficeHub | x | x | x | Yes |
+| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes |
+| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes |
+| Groove | Microsoft.ZuneMusic | x | x | x | No |
+| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No |
+| Maps | Microsoft.WindowsMaps | x | x | x | No |
+| Messaging | Microsoft.Messaging | x | x | x | No |
+| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | | x | x | No |
+| Movies & TV | Microsoft.ZuneVideo | x | x | x | No |
+| News | Microsoft.BingNews | x | x | x | Yes |
+| OneNote | Microsoft.Office.OneNote | x | x | x | Yes |
+| Paint 3D | Microsoft.MSPaint | | x | x | No |
+| People | Microsoft.People | x | x | x | No |
+| Photos | Microsoft.Windows.Photos | x | x | x | No |
+| Print 3D | Microsoft.Print3D | | | x | No |
+| Solitaire | Microsoft.Microsoft SolitaireCollection | x | x | x | Yes |
+| Sticky Notes | Microsoft.MicrosoftStickyNotes | x | x | x | No |
+| Store | Microsoft.WindowsStore | x | x | x | No |
+| Sway | Microsoft.Office.Sway | * | * | x | Yes |
+| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No |
+| Wallet | Microsoft.Wallet | | x | x | No |
+| Weather | Microsoft.BingWeather | x | x | x | Yes |
+| Xbox | Microsoft.XboxApp | x | x | x | No |
+| | Microsoft.OneConnect | x | x | x | No |
+| | Microsoft.StorePurchaseApp | x | x | x | No |
+| | Microsoft.Xbox.TCUI | | | x | No |
+| | Microsoft.XboxGameOverlay | | x | x | No |
+| | Microsoft.XboxIdentityProvider | x | x | * | No |
+| | Microsoft.XboxSpeech ToTextOverlay | | x | x | No |
-> [!NOTE]
-> - As of Windows 10, version 1607, News and Sway are installed apps.
-> - Both Feedback Hub and Microsoft.XboxIdentityProvider were installed apps in version 1511 and provisioned apps in versions 1607 and later.
\ No newline at end of file
+\* moved from "provisioned" to "installed" in this version.
\ No newline at end of file
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index db2b1f18c8..ca43f5a4ed 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -33,7 +33,7 @@ Benefits of this design change include:
* Reduced support costs by eliminating the troubleshooting overhead associated with isolating misbehaving services in the shared host.
* Increased security by providing additional inter-service isolation
* Increased scalability by allowing per-service settings and privileges
-* Improved resource management through per-service CPU, I/O and memory management and increase clear telemetry (report CPU, I/O and network usage per service).
+* Improved resource management through per-service CPU, I/O and memory management and increase clear diagnostic data (report CPU, I/O and network usage per service).
>**Try This**
>
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index fd513fcffe..e77a3132db 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -168,4 +168,3 @@ When a user is configured with a mandatory profile, Windows 10 starts as though
- [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight)
- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=mandatory-user-profile.md).
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 7e36c48d66..b214cbdc2a 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -2,6 +2,7 @@
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
+#### [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md)
### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
@@ -227,6 +228,7 @@
#### [RemoteManagement](policy-csp-remotemanagement.md)
#### [RemoteProcedureCall](policy-csp-remoteprocedurecall.md)
#### [RemoteShell](policy-csp-remoteshell.md)
+#### [RestrictedGroups](policy-csp-restrictedgroups.md)
#### [Search](policy-csp-search.md)
#### [Security](policy-csp-security.md)
#### [Settings](policy-csp-settings.md)
diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
new file mode 100644
index 0000000000..f93d78ce36
--- /dev/null
+++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -0,0 +1,22 @@
+---
+title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
+description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 01/17/2018
+---
+
+# Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal
+
+Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune "App" Visible, select the Microsoft Intune and configure the Blade
+
+
+
+Configure the Blade
+
+
+
+Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users.
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index b6f9f2667c..c432bac103 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -6,11 +6,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 10/30/2017
+ms.date: 01/04/2018
---
# BitLocker CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703.
> [!Note]
@@ -794,6 +797,12 @@ The following diagram shows the BitLocker configuration service provider in tree
Allows the Admin to disable the warning prompt for other disk encryption on the user machines.
+> [!Important]
+> Starting in Windows 10, next major update, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-overview) for value 0.
+
+> [!Warning]
+> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
+
Home
@@ -817,11 +826,9 @@ The following diagram shows the BitLocker configuration service provider in tree
The following list shows the supported values:
-- 0 – Disables the warning prompt.
+- 0 – Disables the warning prompt. Starting in Windows 10, next major update, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
- 1 (default) – Warning prompt allowed.
-
Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:
-
``` syntax
110
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 4fefcba7c8..e81ff53e92 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -192,6 +192,7 @@ The following diagram shows the CM\_CellularEntries configuration service provid
- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
- Application - 52D7654A-00A8-4140-806C-087D66705306
+- eSIM provisioning - A36E171F-2377-4965-88FE-1F53EB4B47C0
## Additional information
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index ddad72d945..a72cf5ff8f 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2441,27 +2441,28 @@ You can download the DDF files for various CSPs from the links below:
The following list shows the configuration service providers supported in Windows Holographic editions.
-| Configuration service provider | Windows Holographic edition | Windows Holographic for Business edition |
-|-------------------------------------------------------------------------------------------------------|-------------------------------------|-------------------------------------------|
-| [Application CSP](application-csp.md) |  |  |
-| [AppLocker CSP](applocker-csp.md) |  |  |
-| [CertificateStore CSP](certificatestore-csp.md) |  |  |
-| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) |  |  |
-| [DevDetail CSP](devdetail-csp.md) |  |  |
-| [DeveloperSetup CSP](developersetup-csp.md) |  | 2 (Provisioning only)|
-| [DeviceStatus CSP](devicestatus-csp.md) |  |  |
-| [DevInfo CSP](devinfo-csp.md) |  |  |
-| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |
-| [DMAcc CSP](dmacc-csp.md) |  |  |
-| [DMClient CSP](dmclient-csp.md) |  |  |
+| Configuration service provider | Windows Holographic edition | Windows Holographic for Business edition |
+|--------|--------|------------|
+| [Application CSP](application-csp.md) |  |  |
+| [AppLocker CSP](applocker-csp.md) |  |  |
+| [CertificateStore CSP](certificatestore-csp.md) |  | |
+| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) |  |  |
+| [DevDetail CSP](devdetail-csp.md) |  |  |
+| [DeveloperSetup CSP](developersetup-csp.md) |  | 2 (Provisioning only)|
+| [DeviceStatus CSP](devicestatus-csp.md) |  |  |
+| [DevInfo CSP](devinfo-csp.md) |  |  |
+| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |
+| [DMAcc CSP](dmacc-csp.md) |  |  |
+| [DMClient CSP](dmclient-csp.md) |  |  |
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |
-| [NodeCache CSP](nodecache-csp.md) |  |  |
-| [Policy CSP](policy-configuration-service-provider.md) |  |  |
-| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |
-| [Update CSP](update-csp.md) |  |  |
-| [VPN2 CSP](vpnv2-csp.md) |  |  |
-| [WiFi CSP](wifi-csp.md) |  |  |
-| [WindowsLicensing CSP](windowslicensing-csp.md) |  |  |
+| [NodeCache CSP](nodecache-csp.md) |  |  |
+[PassportForWork CSP](passportforwork-csp.md) |  |  |
+| [Policy CSP](policy-configuration-service-provider.md) |  |  |
+| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |
+| [Update CSP](update-csp.md) |  |  |
+| [VPN2 CSP](vpnv2-csp.md) |  |  |
+| [WiFi CSP](wifi-csp.md) |  |  |
+| [WindowsLicensing CSP](windowslicensing-csp.md) |  |  |
Footnotes:
- 2 - Added in Windows 10, version 1703
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 36cb8e6e0f..bcab5ce598 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/26/2017
+ms.date: 01/29/2018
---
# Defender CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
The following image shows the Windows Defender configuration service provider in tree format.
@@ -310,6 +313,11 @@ Node that can be used to perform signature updates for Windows Defender.
Supported operations are Get and Execute.
+**OfflineScan**
+Added in Windows 10, next major update. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. This command causes the computer reboot and start in Windows Defender offline mode to begin the scan.
+
+Supported operations are Get and Execute.
+
## Related topics
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 126869323b..4077ab58af 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 01/29/20178
---
# Defender DDF file
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -22,648 +25,659 @@ The XML below is the current version for this CSP.
``` syntax
]>
+ "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+ []>
- 1.2
-
+ 1.2
+ Defender./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.1/MDM/Defender
+
- Detections
+ Detections
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+ ThreatId
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ThreatId
-
-
-
-
-
- Name
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- URL
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Severity
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Category
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CurrentStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExecutionStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InitialDetectionTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastThreatStatusChangeTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NumberOfDetections
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+ Name
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ URL
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Severity
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Category
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CurrentStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExecutionStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ InitialDetectionTime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LastThreatStatusChangeTime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NumberOfDetections
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
- Health
+ Health
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ComputerState
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
-
- ComputerState
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefenderEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RtpEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NisEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- QuickScanOverdue
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanOverdue
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SignatureOutOfDate
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RebootRequired
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanRequired
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EngineVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SignatureVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefenderVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- QuickScanTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- QuickScanSigVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanSigVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+
+ DefenderEnabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RtpEnabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NisEnabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ QuickScanOverdue
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ FullScanOverdue
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SignatureOutOfDate
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RebootRequired
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ FullScanRequired
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EngineVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SignatureVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefenderVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ QuickScanTime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ FullScanTime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ QuickScanSigVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ FullScanSigVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
- Scan
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ Scan
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- UpdateSignature
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ UpdateSignature
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
-
+
+ OfflineScan
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
```
## Related topics
-[Defender configuration service provider](defender-csp.md)
-
-
-
-
-
-
-
-
-
-
+[Defender configuration service provider](defender-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 2e48728ffc..c48d6ddd3b 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -216,7 +216,7 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
**Provider/*ProviderID*/CommercialID**
-Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this telemetry data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization..
+Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization..
Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index e08fe3e40d..beaaf83a87 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -233,6 +233,7 @@ Summary of steps to enable a policy:
./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2
+
]]>
+
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 01c9d509c3..1330e71e5a 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/07/2017
+ms.date: 01/26/2018
---
# Firewall CSP
-The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
+The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
Firewall configuration commands must be wrapped in an Atomic block in SyncML.
diff --git a/windows/client-management/mdm/images/azure-intune-configure-scope.png b/windows/client-management/mdm/images/azure-intune-configure-scope.png
new file mode 100644
index 0000000000..822ff31511
Binary files /dev/null and b/windows/client-management/mdm/images/azure-intune-configure-scope.png differ
diff --git a/windows/client-management/mdm/images/azure-mdm-intune.png b/windows/client-management/mdm/images/azure-mdm-intune.png
new file mode 100644
index 0000000000..b0f08a51bd
Binary files /dev/null and b/windows/client-management/mdm/images/azure-mdm-intune.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png
index b3be3ba7f4..8d34e77eb9 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png
index fdbeb278ab..c6e1215e4d 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png differ
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index bdccbd501f..4fe82b932b 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -112,7 +112,7 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
If the tenant is a cloud-only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly on this page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication.
- Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain.
+ Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain.
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 1dbb44551e..2fe9ccfab5 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -82,7 +82,7 @@ Value: DisableRegistration
The following scenarios do not allow MDM enrollments:
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
-- Prior to Windows 10, version 1709, standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. Only admin users can enroll. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -> **System** -> **About**. Starting in Windows 10, version 1709, standard users can enroll in MDM.
+- Standard users cannot enroll in MDM. Only admin users can enroll.
- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
## Enrollment migration
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 1a14ccd222..820cf5dfd6 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1405,6 +1405,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
@@ -1506,6 +1510,26 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
Settings/AllowOnlineTips
System/DisableEnterpriseAuthProxy
+
Security/RequireDeviceEncrption - updated to show it is supported in desktop.
+
+
+
[BitLocker CSP](bitlocker-csp.md)
+
Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, next major update.
+
+
+
[RemoteWipe CSP](remotewipe-csp.md)
+
Added the following nodes in Windows 10, next major update:
+
+
AutomaticRedeployment
+
doAutomaticRedeployment
+
LastError
+
Status
+
+
+
+
[Defender CSP](defender-csp.md)
+
Added new node (OfflineScan) in Windows 10, next major update.
+
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 1e72d18b9d..ab3145df41 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -54,6 +54,7 @@ The following diagram shows the PassportForWork configuration service provider i
***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1703. Root node for excluded security devices.
+
*Not supported on Windows Holographic and Windows Holographic for Business.*
***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
@@ -178,27 +179,37 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT)
Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511.
+
*Not supported on Windows Holographic and Windows Holographic for Business.*
***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511.
Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled.
+
+
Supported operations are Add, Get, Delete, and Replace.
+
*Not supported on Windows Holographic and Windows Holographic for Business.*
+
**UseBiometrics**
This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
**Biometrics** (only for ./Device/Vendor/MSFT)
Node for defining biometric settings. This node was added in Windows 10, version 1511.
+
*Not supported on Windows Holographic and Windows Holographic for Business.*
**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511.
Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
+
+
Supported operations are Add, Get, Delete, and Replace.
+
*Not supported on Windows Holographic and Windows Holographic for Business.*
+
**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
@@ -208,8 +219,12 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
+
+
Supported operations are Add, Get, Delete, and Replace.
+
*Not supported on Windows Holographic and Windows Holographic for Business.*
+
## Examples
Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM.
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index eb0639a97a..715c403580 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -130,7 +130,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add and Get. Does not support Delete.
> [!Note]
-> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S.
+> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults polices are not supported in Windows 10 S.
## Policies
@@ -434,6 +434,9 @@ The following diagram shows the Policy configuration service provider in tree fo
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,16 +67,16 @@ ms.date: 12/14/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether to allow Action Center notifications above the device lock screen.
+Specifies whether to allow Action Center notifications above the device lock screen.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -82,12 +84,14 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
+
-
+
+
**AboveLock/AllowCortanaAboveLock**
-
+
Home
@@ -109,8 +113,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -118,11 +122,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
+
+
+Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
-
+
The following list shows the supported values:
@@ -130,12 +134,14 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
+
-
+
+
**AboveLock/AllowToasts**
-
+
Home
@@ -157,8 +163,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -166,13 +172,13 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow toast notifications above the device lock screen.
+
+
+Specifies whether to allow toast notifications above the device lock screen.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -180,7 +186,7 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
Footnote:
@@ -189,5 +195,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md b/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md
index dfe6305024..2d0549e77b 100644
--- a/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md
+++ b/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/29/2017
+ms.date: 01/30/2018
---
# Policy CSP - AccountPoliciesAccountLockoutPolicy
@@ -17,7 +17,7 @@ ms.date: 12/29/2017
-
+
## AccountPoliciesAccountLockoutPolicy policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -67,30 +69,23 @@ ms.date: 12/29/2017
-
-
+
+
Added in Windows 10, next major release. This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.
If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold**
-
+
Home
@@ -112,8 +107,8 @@ Default: None, because this policy setting only has meaning when an Account lock
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -121,30 +116,23 @@ Default: None, because this policy setting only has meaning when an Account lock
-
-
+
+
Added in Windows 10, next major release. This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out.
Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts.
Default: 0.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter**
-
+
Home
@@ -166,8 +154,8 @@ Default: 0.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -175,25 +163,16 @@ Default: 0.
-
-
+
+
Added in Windows 10, next major release. This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes.
If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration.
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
-
-
-
-
-
-
-
-
-
-
-
+
+
Footnote:
@@ -202,5 +181,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index b64e96d236..0fb29f4870 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Accounts
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Accounts policies
Specifies whether user is allowed to add non-MSA email accounts.
+
+
+Specifies whether user is allowed to add non-MSA email accounts.
-
Most restricted value is 0.
+Most restricted value is 0.
> [!NOTE]
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
-
+
The following list shows the supported values:
@@ -85,12 +87,14 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
+
@@ -112,8 +116,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -121,13 +125,13 @@ The following list shows the supported values:
-
-
-
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
+
+
+Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -135,12 +139,14 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
+
@@ -162,8 +168,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -171,11 +177,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
+
+
+Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
-
+
The following list shows the supported values:
@@ -183,12 +189,14 @@ The following list shows the supported values:
- 1 (default) - Manual start.
-
+
+
-
+
+
**Accounts/DomainNamesForEmailSync**
-
+
Home
@@ -210,8 +218,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -219,16 +227,16 @@ The following list shows the supported values:
-
-
-
Specifies a list of the domains that are allowed to sync email on the device.
+
+
+Specifies a list of the domains that are allowed to sync email on the device.
-
The data type is a string.
+The data type is a string.
-
The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
+The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
-
-
+
+
Footnote:
@@ -237,7 +245,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Accounts policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 411a6aa435..4bea893b54 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - ActiveXControls
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## ActiveXControls policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -59,8 +61,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
@@ -69,7 +71,7 @@ If you disable or do not configure this policy setting, ActiveX controls prompt
Note: Wild card characters cannot be used when specifying the host URLs.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -77,15 +79,15 @@ Note: Wild card characters cannot be used when specifying the host URLs.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Approved Installation Sites for ActiveX Controls*
- GP name: *ApprovedActiveXInstallSites*
- GP path: *Windows Components/ActiveX Installer Service*
- GP ADMX file name: *ActiveXInstallService.admx*
-
-
+
+
Footnote:
@@ -94,5 +96,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 05657e6bd9..0e45ce047c 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/04/2017
+ms.date: 01/30/2018
---
# Policy CSP - ApplicationDefaults
@@ -15,7 +15,7 @@ ms.date: 12/04/2017
-
+
## ApplicationDefaults policies
Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
+
+
+Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
-
If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
-
To create create the SyncML, follow these steps:
+
+
+To create create the SyncML, follow these steps:
Install a few apps and change your defaults.
From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
@@ -73,7 +77,7 @@ ms.date: 12/04/2017
Paste the base64 encoded XML into the SyncML
-
Here is an example output from the dism default association export command:
+Here is an example output from the dism default association export command:
``` syntax
@@ -86,13 +90,13 @@ ms.date: 12/04/2017
Here is the base64 encoded result:
+Here is the base64 encoded result:
``` syntax
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
```
-
Here is the SyncMl example:
+Here is the SyncMl example:
``` syntax
@@ -117,8 +121,8 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
```
-
-
+
+
Footnote:
@@ -127,6 +131,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
-
+
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index c495acc547..9ee5181bd2 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - ApplicationManagement
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## ApplicationManagement policies
Specifies whether non Microsoft Store apps are allowed.
+
+
+Specifies whether non Microsoft Store apps are allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -104,12 +106,14 @@ The following list shows the supported values:
- 65535 (default) - Not configured.
-
+
+
@@ -131,8 +135,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -140,24 +144,29 @@ The following list shows the supported values:
-
-
-
Specifies whether automatic update of apps from Microsoft Store are allowed.
+
+
+Specifies whether automatic update of apps from Microsoft Store are allowed.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
@@ -179,8 +188,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -188,13 +197,13 @@ The following list shows the supported values:
-
-
-
Specifies whether developer unlock is allowed.
+
+
+Specifies whether developer unlock is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -203,12 +212,14 @@ The following list shows the supported values:
- 65535 (default) - Not configured.
-
+
+
-
+
+
**ApplicationManagement/AllowGameDVR**
-
+
Home
@@ -230,8 +241,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -239,16 +250,16 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Specifies whether DVR and broadcasting is allowed.
+Specifies whether DVR and broadcasting is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -256,12 +267,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -283,8 +296,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -292,13 +305,13 @@ The following list shows the supported values:
-
-
-
Specifies whether multiple users of the same app can share data.
+
+
+Specifies whether multiple users of the same app can share data.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -306,12 +319,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**ApplicationManagement/AllowStore**
-
+
Home
@@ -333,8 +348,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -342,13 +357,13 @@ The following list shows the supported values:
-
-
-
Specifies whether app store is allowed at the device.
+
+
+Specifies whether app store is allowed at the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -356,12 +371,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -383,8 +400,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -392,13 +409,13 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
-
An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md).
+An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md).
> [!NOTE]
> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
@@ -412,19 +429,21 @@ The following list shows the supported values:
> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
-
An application that is running may not be immediately terminated.
+An application that is running may not be immediately terminated.
-
Value type is chr.
+Value type is chr.
-
Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
+Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
+
+
+
-
-
@@ -446,8 +465,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -455,11 +474,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
+
+
+Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
-
+
The following list shows the supported values:
@@ -467,12 +486,14 @@ The following list shows the supported values:
- 1 – Disable launch of apps.
-
+
+
@@ -494,8 +515,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -503,24 +524,29 @@ The following list shows the supported values:
-
-
-
Allows disabling of the retail catalog and only enables the Private store.
+
+
+Allows disabling of the retail catalog and only enables the Private store.
-
The following list shows the supported values:
+
+Most restricted value is 1.
+
+
+
+The following list shows the supported values:
- 0 (default) – Allow both public and Private store.
- 1 – Only Private store is enabled.
-
@@ -542,8 +568,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -551,13 +577,13 @@ The following list shows the supported values:
-
-
-
Specifies whether application data is restricted to the system drive.
+
+
+Specifies whether application data is restricted to the system drive.
-
Most restricted value is 1.
+Most restricted value is 1.
-
+
The following list shows the supported values:
@@ -565,12 +591,14 @@ The following list shows the supported values:
- 1 – Restricted.
-
+
+
@@ -592,8 +620,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -601,13 +629,13 @@ The following list shows the supported values:
-
-
-
Specifies whether the installation of applications is restricted to the system drive.
+
+
+Specifies whether the installation of applications is restricted to the system drive.
-
Most restricted value is 1.
+Most restricted value is 1.
-
+
The following list shows the supported values:
@@ -615,7 +643,7 @@ The following list shows the supported values:
- 1 – Restricted.
-
+
Footnote:
@@ -624,7 +652,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## ApplicationManagement policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index e8d81c05b3..5ec36f8881 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - AppVirtualization
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## AppVirtualization policies
@@ -105,11 +105,13 @@ ms.date: 11/01/2017
+
-
+
+
**AppVirtualization/AllowAppVClient**
-
+
Home
@@ -131,8 +133,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -140,11 +142,11 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -152,20 +154,22 @@ This policy setting allows you to enable or disable Microsoft Application Virtua
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable App-V Client*
- GP name: *EnableAppV*
- GP path: *System/App-V*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowDynamicVirtualization**
-
+
Home
@@ -187,8 +191,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -196,11 +200,11 @@ ADMX Info:
-
-
+
+
Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -208,20 +212,22 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Dynamic Virtualization*
- GP name: *Virtualization_JITVEnable*
- GP path: *System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowPackageCleanup**
-
+
Home
@@ -243,8 +249,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -252,11 +258,11 @@ ADMX Info:
-
-
+
+
Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -264,20 +270,22 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable automatic cleanup of unused appv packages*
- GP name: *PackageManagement_AutoCleanupEnable*
- GP path: *System/App-V/PackageManagement*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowPackageScripts**
-
+
Home
@@ -299,8 +307,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -308,11 +316,11 @@ ADMX Info:
-
-
+
+
Enables scripts defined in the package manifest of configuration files that should run.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -320,20 +328,22 @@ Enables scripts defined in the package manifest of configuration files that shou
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Package Scripts*
- GP name: *Scripting_Enable_Package_Scripts*
- GP path: *System/App-V/Scripting*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowPublishingRefreshUX**
-
+
Home
@@ -355,8 +365,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -364,11 +374,11 @@ ADMX Info:
-
-
+
+
Enables a UX to display to the user when a publishing refresh is performed on the client.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -376,20 +386,22 @@ Enables a UX to display to the user when a publishing refresh is performed on th
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Publishing Refresh UX*
- GP name: *Enable_Publishing_Refresh_UX*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowReportingServer**
-
+
Home
@@ -411,8 +423,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -420,8 +432,8 @@ ADMX Info:
-
-
+
+
Reporting Server URL: Displays the URL of reporting server.
Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.
@@ -434,7 +446,7 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the
Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -442,20 +454,22 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reporting Server*
- GP name: *Reporting_Server_Policy*
- GP path: *System/App-V/Reporting*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowRoamingFileExclusions**
-
+
Home
@@ -477,8 +491,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -486,11 +500,11 @@ ADMX Info:
-
-
+
+
Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -498,20 +512,22 @@ Specifies the file paths relative to %userprofile% that do not roam with a user'
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Roaming File Exclusions*
- GP name: *Integration_Roaming_File_Exclusions*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowRoamingRegistryExclusions**
-
+
Home
@@ -533,8 +549,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -542,11 +558,11 @@ ADMX Info:
-
-
+
+
Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -554,20 +570,22 @@ Specifies the registry paths that do not roam with a user profile. Example usage
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Roaming Registry Exclusions*
- GP name: *Integration_Roaming_Registry_Exclusions*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowStreamingAutoload**
-
+
Home
@@ -589,8 +607,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -598,11 +616,11 @@ ADMX Info:
-
-
+
+
Specifies how new packages should be loaded automatically by App-V on a specific computer.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -610,20 +628,22 @@ Specifies how new packages should be loaded automatically by App-V on a specific
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify what to load in background (aka AutoLoad)*
- GP name: *Steaming_Autoload*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/ClientCoexistenceAllowMigrationmode**
-
+
Home
@@ -645,8 +665,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -654,11 +674,11 @@ ADMX Info:
-
-
+
+
Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -666,20 +686,22 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Migration Mode*
- GP name: *Client_Coexistence_Enable_Migration_mode*
- GP path: *System/App-V/Client Coexistence*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/IntegrationAllowRootGlobal**
-
+
Home
@@ -701,8 +723,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -710,11 +732,11 @@ ADMX Info:
-
-
+
+
Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -722,20 +744,22 @@ Specifies the location where symbolic links are created to the current version o
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Integration Root User*
- GP name: *Integration_Root_User*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/IntegrationAllowRootUser**
-
+
Home
@@ -757,8 +781,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -766,11 +790,11 @@ ADMX Info:
-
-
+
+
Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -778,20 +802,22 @@ Specifies the location where symbolic links are created to the current version o
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Integration Root Global*
- GP name: *Integration_Root_Global*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer1**
-
+
Home
@@ -813,8 +839,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -822,8 +848,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -844,7 +870,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -852,20 +878,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 1 Settings*
- GP name: *Publishing_Server1_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer2**
-
+
Home
@@ -887,8 +915,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -896,8 +924,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -918,7 +946,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -926,20 +954,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 2 Settings*
- GP name: *Publishing_Server2_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer3**
-
+
Home
@@ -961,8 +991,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -970,8 +1000,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -992,7 +1022,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1000,20 +1030,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 3 Settings*
- GP name: *Publishing_Server3_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer4**
-
+
Home
@@ -1035,8 +1067,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1044,8 +1076,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -1066,7 +1098,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1074,20 +1106,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 4 Settings*
- GP name: *Publishing_Server4_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer5**
-
+
Home
@@ -1109,8 +1143,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1118,8 +1152,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -1140,7 +1174,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1148,20 +1182,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 5 Settings*
- GP name: *Publishing_Server5_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**
-
+
Home
@@ -1183,8 +1219,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1192,11 +1228,11 @@ ADMX Info:
-
-
+
+
Specifies the path to a valid certificate in the certificate store.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1204,20 +1240,22 @@ Specifies the path to a valid certificate in the certificate store.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Certificate Filter For Client SSL*
- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowHighCostLaunch**
-
+
Home
@@ -1239,8 +1277,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1248,11 +1286,11 @@ ADMX Info:
-
-
+
+
This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1260,20 +1298,22 @@ This setting controls whether virtualized applications are launched on Windows 8
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
- GP name: *Streaming_Allow_High_Cost_Launch*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowLocationProvider**
-
+
Home
@@ -1295,8 +1335,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1304,11 +1344,11 @@ ADMX Info:
-
-
+
+
Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1316,20 +1356,22 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Location Provider*
- GP name: *Streaming_Location_Provider*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowPackageInstallationRoot**
-
+
Home
@@ -1351,8 +1393,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1360,11 +1402,11 @@ ADMX Info:
-
-
+
+
Specifies directory where all new applications and updates will be installed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1372,20 +1414,22 @@ Specifies directory where all new applications and updates will be installed.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Package Installation Root*
- GP name: *Streaming_Package_Installation_Root*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowPackageSourceRoot**
-
+
Home
@@ -1407,8 +1451,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1416,11 +1460,11 @@ ADMX Info:
-
-
+
+
Overrides source location for downloading package content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1428,20 +1472,22 @@ Overrides source location for downloading package content.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Package Source Root*
- GP name: *Streaming_Package_Source_Root*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowReestablishmentInterval**
-
+
Home
@@ -1463,8 +1509,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1472,11 +1518,11 @@ ADMX Info:
-
-
+
+
Specifies the number of seconds between attempts to reestablish a dropped session.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1484,20 +1530,22 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reestablishment Interval*
- GP name: *Streaming_Reestablishment_Interval*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowReestablishmentRetries**
-
+
Home
@@ -1519,8 +1567,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1528,11 +1576,11 @@ ADMX Info:
-
-
+
+
Specifies the number of times to retry a dropped session.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1540,20 +1588,22 @@ Specifies the number of times to retry a dropped session.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reestablishment Retries*
- GP name: *Streaming_Reestablishment_Retries*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingSharedContentStoreMode**
-
+
Home
@@ -1575,8 +1625,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1584,11 +1634,11 @@ ADMX Info:
-
-
+
+
Specifies that streamed package contents will be not be saved to the local hard disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1596,20 +1646,22 @@ Specifies that streamed package contents will be not be saved to the local hard
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Shared Content Store (SCS) mode*
- GP name: *Streaming_Shared_Content_Store_Mode*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingSupportBranchCache**
-
+
Home
@@ -1631,8 +1683,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1640,11 +1692,11 @@ ADMX Info:
-
-
+
+
If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1652,20 +1704,22 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Support for BranchCache*
- GP name: *Streaming_Support_Branch_Cache*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingVerifyCertificateRevocationList**
-
+
Home
@@ -1687,8 +1741,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1696,11 +1750,11 @@ ADMX Info:
-
-
+
+
Verifies Server certificate revocation status before streaming using HTTPS.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1708,20 +1762,22 @@ Verifies Server certificate revocation status before streaming using HTTPS.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Verify certificate revocation list*
- GP name: *Streaming_Verify_Certificate_Revocation_List*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/VirtualComponentsAllowList**
-
+
Home
@@ -1743,8 +1799,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1752,11 +1808,11 @@ ADMX Info:
-
-
+
+
Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1764,15 +1820,15 @@ Specifies a list of process paths (may contain wildcards) which are candidates f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Virtual Component Process Allow List*
- GP name: *Virtualization_JITVAllowList*
- GP path: *System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
-
-
+
+
Footnote:
@@ -1781,5 +1837,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 71012e8237..3cd9a8202d 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - AttachmentManager
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## AttachmentManager policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,8 +67,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
If you enable this policy setting, Windows does not mark file attachments with their zone information.
@@ -75,7 +77,7 @@ If you disable this policy setting, Windows marks file attachments with their zo
If you do not configure this policy setting, Windows marks file attachments with their zone information.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -83,20 +85,22 @@ If you do not configure this policy setting, Windows marks file attachments with
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not preserve zone information in file attachments*
- GP name: *AM_MarkZoneOnSavedAtttachments*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
-
+
+
+
-
+
+
**AttachmentManager/HideZoneInfoMechanism**
-
+
Home
@@ -118,8 +122,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -127,8 +131,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
If you enable this policy setting, Windows hides the check box and Unblock button.
@@ -137,7 +141,7 @@ If you disable this policy setting, Windows shows the check box and Unblock butt
If you do not configure this policy setting, Windows hides the check box and Unblock button.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -145,20 +149,22 @@ If you do not configure this policy setting, Windows hides the check box and Unb
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Hide mechanisms to remove zone information*
- GP name: *AM_RemoveZoneInfo*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
-
+
+
+
-
+
+
**AttachmentManager/NotifyAntivirusPrograms**
-
+
Home
@@ -180,8 +186,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -189,8 +195,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
@@ -199,7 +205,7 @@ If you disable this policy setting, Windows does not call the registered antivir
If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -207,15 +213,15 @@ If you do not configure this policy setting, Windows does not call the registere
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
-
+
+
Footnote:
@@ -224,5 +230,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index aefc04173f..881ae7ff19 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Authentication
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Authentication policies
Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.
+
+
+Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.
-
+
The following list shows the supported values:
@@ -83,12 +85,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**Authentication/AllowEAPCertSSO**
-
+
Home
@@ -110,8 +114,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -119,11 +123,11 @@ The following list shows the supported values:
-
-
-
Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
+
+
+Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
-
+
The following list shows the supported values:
@@ -131,12 +135,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Authentication/AllowFastReconnect**
-
+
Home
@@ -158,8 +164,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -167,13 +173,13 @@ The following list shows the supported values:
-
-
-
Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
+
+
+Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -181,12 +187,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -208,8 +216,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -217,15 +225,15 @@ The following list shows the supported values:
-
-
-
Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0
+
+
+Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0
-
Value type is integer.
+Value type is integer.
-
Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.
+Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.
-
+
The following list shows the supported values:
@@ -233,12 +241,14 @@ The following list shows the supported values:
- 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign into an Windows.
-
+
+
@@ -260,8 +270,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -269,13 +279,13 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
+
+
+Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
-
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
+The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
-
+
The following list shows the supported values:
@@ -283,7 +293,7 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
Footnote:
@@ -292,7 +302,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Authentication policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 0eeac9b230..ea02a39c19 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Autoplay
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Autoplay policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -66,15 +68,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting disallows AutoPlay for MTP devices like cameras or phones.
If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -82,20 +84,22 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Autoplay for non-volume devices*
- GP name: *NoAutoplayfornonVolume*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
-
+
+
+
-
+
+
**Autoplay/SetDefaultAutoRunBehavior**
-
+
Home
@@ -117,8 +121,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -127,8 +131,8 @@ ADMX Info:
-
-
+
+
This policy setting sets the default behavior for Autorun commands.
Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
@@ -144,7 +148,7 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto
If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -152,20 +156,22 @@ If you disable or not configure this policy setting, Windows Vista or later will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set the default behavior for AutoRun*
- GP name: *NoAutorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
-
+
+
+
-
+
+
**Autoplay/TurnOffAutoPlay**
-
+
Home
@@ -187,8 +193,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -197,8 +203,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to turn off the Autoplay feature.
Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
@@ -215,7 +221,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled.
Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -223,15 +229,15 @@ Note: This policy setting appears in both the Computer Configuration and User Co
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Autoplay*
- GP name: *Autorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
-
+
+
Footnote:
@@ -240,5 +246,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index ede5f3ea04..852a915bac 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Bitlocker
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Bitlocker policies
Specifies the BitLocker Drive Encryption method and cipher strength.
+
+
+Specifies the BitLocker Drive Encryption method and cipher strength.
> [!NOTE]
> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop.
-
You can find the following policies in BitLocker CSP:
+You can find the following policies in BitLocker CSP:
Specifies whether the device can send out Bluetooth advertisements.
+
+
+Specifies whether the device can send out Bluetooth advertisements.
-
If this is not set or it is deleted, the default value of 1 (Allow) is used.
+If this is not set or it is deleted, the default value of 1 (Allow) is used.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -87,12 +89,14 @@ The following list shows the supported values:
- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.
-
+
+
-
+
+
**Bluetooth/AllowDiscoverableMode**
-
+
Home
@@ -114,8 +118,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -123,15 +127,15 @@ The following list shows the supported values:
-
-
-
Specifies whether other Bluetooth-enabled devices can discover the device.
+
+
+Specifies whether other Bluetooth-enabled devices can discover the device.
-
If this is not set or it is deleted, the default value of 1 (Allow) is used.
+If this is not set or it is deleted, the default value of 1 (Allow) is used.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -139,12 +143,14 @@ The following list shows the supported values:
- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.
-
+
+
-
+
+
**Bluetooth/AllowPrepairing**
-
+
Home
@@ -166,8 +172,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -175,11 +181,11 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
+
+
+Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
-
+
The following list shows the supported values:
@@ -187,12 +193,14 @@ The following list shows the supported values:
- 1 (default)– Allowed.
-
+
+
-
+
+
**Bluetooth/LocalDeviceName**
-
+
Home
@@ -214,8 +222,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -223,21 +231,23 @@ The following list shows the supported values:
-
-
-
Sets the local Bluetooth device name.
+
+
+Sets the local Bluetooth device name.
-
If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
+If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
-
If this policy is not set or it is deleted, the default local radio name is used.
+If this policy is not set or it is deleted, the default local radio name is used.
+
+
+
-
-
-
+
+
**Bluetooth/ServicesAllowedList**
-
+
Home
@@ -259,8 +269,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -268,14 +278,14 @@ The following list shows the supported values:
-
-
-
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
+
+
+Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
-
The default value is an empty string.
+The default value is an empty string.
-
-
+
+
Footnote:
@@ -284,7 +294,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Bluetooth policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 990c0726eb..da6abdd0ee 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 01/31/2018
---
# Policy CSP - Browser
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## Browser policies
Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.
+
+
+Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.
> [!NOTE]
> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -190,12 +195,14 @@ The following list shows the supported values:
- 1 (default) – Allowed. Address bar drop-down is enabled.
-
+
+
-
+
+
**Browser/AllowAutofill**
-
+
Home
@@ -217,8 +224,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -227,33 +234,37 @@ The following list shows the supported values:
-
-
-
Specifies whether autofill on websites is allowed.
+
+
+Specifies whether autofill on websites is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
To verify AllowAutofill is set to 0 (not allowed):
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+To verify AllowAutofill is set to 0 (not allowed):
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Save form entries** is greyed out.
-
-
-The following list shows the supported values:
+
+
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
+
+
**Browser/AllowBrowser**
-
+
Home
@@ -275,8 +286,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -285,19 +296,19 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
-
Specifies whether the browser is allowed on the device.
+Specifies whether the browser is allowed on the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
+When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
-
+
The following list shows the supported values:
@@ -305,711 +316,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
-
-
-**Browser/AllowCookies**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
+
-
-
-
Specifies whether cookies are allowed.
+
+**Browser/AllowConfigurationUpdateForBooksLibrary**
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
To verify AllowCookies is set to 0 (not allowed):
-
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Cookies** is greyed out.
-
-
-
-
-
-**Browser/AllowDeveloperTools**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.
-
-
Most restricted value is 0.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
Specifies whether Do Not Track headers are allowed.
-
-
Most restricted value is 1.
-
-
To verify AllowDoNotTrack is set to 0 (not allowed):
-
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Send Do Not Track requests** is greyed out.
-
-
-
-The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
-
-
-
-
Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
-
-
-
-The following list shows the supported values:
-
-- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge.
-- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
-
-
-
-
Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly.
-By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat".
-
-
If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation.
-
-
Most restricted value is 0.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not enabled.
-- 1 (default) – Enabled.
-
-
-
-
Specifies whether saving and managing passwords locally on the device is allowed.
-
-
Most restricted value is 0.
-
-
To verify AllowPasswordManager is set to 0 (not allowed):
-
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
Specifies whether pop-up blocker is allowed or enabled.
-
-
Most restricted value is 1.
-
-
To verify AllowPopups is set to 0 (not allowed):
-
-1. Open Microsoft Edge.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Block pop-ups** is greyed out.
-
-
-
-The following list shows the supported values:
-
-- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed.
-- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked.
-
-
-
-
Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.
-
-
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
-
-
Most restricted value is 0.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
Specifies whether Windows Defender SmartScreen is allowed.
-
-
Most restricted value is 1.
-
-
To verify AllowSmartScreen is set to 0 (not allowed):
-
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-**Browser/AlwaysEnableBooksLibrary**
-
-
+
Home
@@ -1031,9 +345,8 @@ The following list shows the supported values:
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1042,240 +355,16 @@ The following list shows the supported values:
-
-
-
+
+
+This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
-
Added in Windows 10, next majot update. Always show the Books Library in Microsoft Edge
-
-
+
The following list shows the supported values:
-- 0 (default) - Disable. Use default visibility of the Books Library. The Library will be only visible in countries or regions where it’s available.
-- 1 - Enable. Always show the Books Library, regardless of countries or region of activation.
-
-
-
-
Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
-
-
Most restricted value is 1.
-
-
To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
-
-1. Open Microsoft Edge and browse to websites.
-2. Close the Microsoft Edge window.
-3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history.
-
-
-
-The following list shows the supported values:
-
-- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
-- 1 – Browsing data is cleared on exit.
-
-
-
-
Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.
-
-
If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
-Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.
-
-
If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine.
-
-> [!IMPORTANT]
-> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.
-
-
The following list shows the supported values:
-
-- 0 (default) – Additional search engines are not allowed.
-- 1 – Additional search engines are allowed.
-
-
Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.
-
-> [!NOTE]
-> This policy has no effect when the Browser/HomePages policy is not configured.
-
-> [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
-
Most restricted value is 0.
-
-
-
-The following list shows the supported values:
-
-- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
-- 1 – Disable lockdown of the Start pages and allow users to modify them.
-
-
-
-
-
-**Browser/EnableExtendedBooksTelemetry**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
4
-
4
-
4
-
4
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in Microsoft Edge.
-
-If you enable this setting, Microsoft Edge sends additional telemetry data, on top of the basic telemetry data, from the Books tab. If you disable or don't configure this setting, Microsoft Edge only sends basic telemetry data, depending on your device configuration.
-
-
-
-The following list shows the supported values:
-
-- 0 (default) - Disable. No additional telemetry.
-- 1 - Enable. Additional telemetry for schools.
+- 0 - Disable. Microsoft Edge cannot retrieve a configuration
+- 1 - Enable (default). Microsoft Edge can retrieve a configuration for Books Library
@@ -1285,12 +374,1038 @@ The following list shows the supported values:
-
+
+
-
+
+
+**Browser/AllowCookies**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Specifies whether cookies are allowed.
+
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+To verify AllowCookies is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Cookies** is greyed out.
+
+
+
+
+
+
+
+**Browser/AllowDeveloperTools**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+
+
+
+**Browser/AllowDoNotTrack**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Specifies whether Do Not Track headers are allowed.
+
+Most restricted value is 1.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1 – Allowed.
+
+
+
+To verify AllowDoNotTrack is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Send Do Not Track requests** is greyed out.
+
+
+
+
+
+
+
+**Browser/AllowExtensions**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
1
+
+
1
+
1
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+
+
+
+**Browser/AllowFlash**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+
+
+
+**Browser/AllowFlashClickToRun**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
2
+
+
2
+
2
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
+
+
+
+The following list shows the supported values:
+
+- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge.
+- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
+
+
+
+
+
+
+
+**Browser/AllowInPrivate**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Specifies whether InPrivate browsing is allowed on corporate networks.
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+
+
+
+**Browser/AllowMicrosoftCompatibilityList**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
2
+
2
+
2
+
2
+
2
+
2
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly.
+By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat".
+
+If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation.
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not enabled.
+- 1 (default) – Enabled.
+
+
+
+
+
+
+
+**Browser/AllowPasswordManager**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Specifies whether saving and managing passwords locally on the device is allowed.
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+To verify AllowPasswordManager is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
+
+
+
+
+
+
+
+**Browser/AllowPopups**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Specifies whether pop-up blocker is allowed or enabled.
+
+Most restricted value is 1.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed.
+- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked.
+
+
+
+To verify AllowPopups is set to 0 (not allowed):
+
+1. Open Microsoft Edge.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Block pop-ups** is greyed out.
+
+
+
+
+
+
+
+**Browser/AllowSearchEngineCustomization**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
2
+
2
+
2
+
2
+
2
+
2
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.
+
+If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+
+
+
+**Browser/AllowSearchSuggestionsinAddressBar**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Specifies whether search suggestions are allowed in the address bar.
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+
+
+
+**Browser/AllowSmartScreen**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Specifies whether Windows Defender SmartScreen is allowed.
+
+Most restricted value is 1.
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+To verify AllowSmartScreen is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
+
+
+
+
+
+
+
+**Browser/AlwaysEnableBooksLibrary**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, next majot update. Always show the Books Library in Microsoft Edge
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - Disable. Use default visibility of the Books Library. The Library will be only visible in countries or regions where it’s available.
+- 1 - Enable. Always show the Books Library, regardless of countries or region of activation.
+
+
+
+
+
+
+
+**Browser/ClearBrowsingDataOnExit**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
2
+
2
+
2
+
2
+
2
+
2
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
+
+Most restricted value is 1.
+
+
+
+The following list shows the supported values:
+
+- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
+- 1 – Browsing data is cleared on exit.
+
+
+
+To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
+
+1. Open Microsoft Edge and browse to websites.
+2. Close the Microsoft Edge window.
+3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history.
+
+
+
+
+
+
+
+**Browser/ConfigureAdditionalSearchEngines**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
2
+
2
+
2
+
2
+
2
+
2
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.
+
+If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
+Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.
+
+If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine.
+
+> [!IMPORTANT]
+> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.
+
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – Additional search engines are not allowed.
+- 1 – Additional search engines are allowed.
+
+
+
+
+
+
+
+**Browser/DisableLockdownOfStartPages**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
2
+
2
+
2
+
2
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.
+
+> [!NOTE]
+> This policy has no effect when the Browser/HomePages policy is not configured.
+
+> [!IMPORTANT]
+> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
+- 1 – Disable lockdown of the Start pages and allow users to modify them.
+
+
+
+
+
+
+
+**Browser/EnableExtendedBooksTelemetry**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in Microsoft Edge.
+
+If you enable this setting, Microsoft Edge sends additional diagnostic data, on top of the basic diagnostic data, from the Books tab. If you disable or don't configure this setting, Microsoft Edge only sends basic diagnostic data, depending on your device configuration.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - Disable. No additional diagnostic data.
+- 1 - Enable. Additional diagnostic data for schools.
+
+
+
+
+
+
+
**Browser/EnterpriseModeSiteList**
-
+
Home
@@ -1312,8 +1427,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1322,26 +1437,30 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to specify an URL of an enterprise site list.
+Allows the user to specify an URL of an enterprise site list.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL location of the enterprise site list.
-
-
+
+
+
@@ -1363,8 +1482,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1373,18 +1492,20 @@ The following list shows the supported values:
-
-
+
+
> [!IMPORTANT]
> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
-
-
+
+
+
-
+
+
**Browser/FirstRunURL**
-
+
Home
@@ -1406,8 +1527,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1416,25 +1537,27 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time.
+Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time.
-
The data type is a string.
+The data type is a string.
-
The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”.
+The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”.
+
+
+
-
-
-
+
+
**Browser/HomePages**
-
+
Home
@@ -1456,8 +1579,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1466,27 +1589,29 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>"
+Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>"
-
Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users.
+Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users.
-
Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.
+Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.
> [!NOTE]
> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
-
-
+
+
+
-
+
+
**Browser/LockdownFavorites**
-
+
Home
@@ -1508,8 +1633,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1518,20 +1643,20 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+
+Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
-
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
> [!Important]
> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
-
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
-
Data type is integer.
+Data type is integer.
-
+
The following list shows the supported values:
@@ -1539,12 +1664,14 @@ The following list shows the supported values:
- 1 - Enabled. Lockdown Favorites.
-
+
+
@@ -1566,8 +1693,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1576,11 +1703,11 @@ The following list shows the supported values:
-
-
-
Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
+
+
+Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
-
+
The following list shows the supported values:
@@ -1588,12 +1715,14 @@ The following list shows the supported values:
- 1 – Users can't access the about:flags page in Microsoft Edge.
-
+
+
-
+
+
**Browser/PreventFirstRunPage**
-
+
Home
@@ -1615,8 +1744,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1625,13 +1754,13 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
+
+
+Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
-
Most restricted value is 1.
+Most restricted value is 1.
-
+
The following list shows the supported values:
@@ -1639,12 +1768,14 @@ The following list shows the supported values:
- 1 – Employees don't see the First Run webpage.
-
+
+
@@ -1666,8 +1797,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1676,13 +1807,13 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
+
+
+Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
-
Most restricted value is 1.
+Most restricted value is 1.
-
+
The following list shows the supported values:
@@ -1690,12 +1821,14 @@ The following list shows the supported values:
- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
-
+
+
@@ -1717,8 +1850,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1727,13 +1860,13 @@ The following list shows the supported values:
-
-
-
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
+
+
+Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
-
Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
+Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
-
+
The following list shows the supported values:
@@ -1741,12 +1874,14 @@ The following list shows the supported values:
- 1 – On.
-
+
+
@@ -1768,8 +1903,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1778,11 +1913,11 @@ The following list shows the supported values:
-
-
-
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
+
+
+Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
-
+
The following list shows the supported values:
@@ -1790,12 +1925,14 @@ The following list shows the supported values:
- 1 – On.
-
+
+
@@ -1817,8 +1954,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1827,15 +1964,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an
user’s localhost IP address while making phone calls using WebRTC.
+Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an user’s localhost IP address while making phone calls using WebRTC.
-
+
The following list shows the supported values:
@@ -1843,12 +1980,14 @@ The following list shows the supported values:
- 1 – The localhost IP address is hidden.
-
+
+
-
+
+
**Browser/ProvisionFavorites**
-
+
Home
@@ -1870,8 +2009,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1880,11 +2019,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.
-
URL can be specified as:
+URL can be specified as:
- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
- Local network: "SiteList"="\\network\shares\URLs.html"
@@ -1893,17 +2032,19 @@ The following list shows the supported values:
> [!Important]
> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
-
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
Data type is string.
+Data type is string.
+
+
+
-
-
@@ -1925,8 +2066,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1935,17 +2076,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Specifies whether to send intranet traffic over to Internet Explorer.
+Specifies whether to send intranet traffic over to Internet Explorer.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -1953,12 +2094,14 @@ The following list shows the supported values:
- 1 – Intranet traffic is sent to Microsoft Edge.
-
+
+
-
+
+
**Browser/SetDefaultSearchEngine**
-
+
Home
@@ -1980,8 +2123,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1990,31 +2133,36 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
+
+
+Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
-
You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.
+You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.
-
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
+If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
> [!IMPORTANT]
> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 (default) - The default search engine is set to the one specified in App settings.
- 1 - Allows you to configure the default search engine for your employees.
-
@@ -2036,8 +2184,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2046,17 +2194,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
+Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -2064,12 +2212,14 @@ The following list shows the supported values:
- 1 – Interstitial pages are shown.
-
+
+
@@ -2091,8 +2241,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2101,24 +2251,16 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
+
+
+Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
>
> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices.
-
To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
-
-
-
Open Internet Explorer and add some favorites.
-
Open Microsoft Edge, then select Hub > Favorites.
-
Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
-
-
-
+
The following list shows the supported values:
@@ -2126,7 +2268,68 @@ The following list shows the supported values:
- 1 – Synchronization is on.
-
+
+To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
+
+
+
Open Internet Explorer and add some favorites.
+
Open Microsoft Edge, then select Hub > Favorites.
+
Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+The following list shows the supported values:
+
+- 0 - No shared folder.
+- 1 - Use a shared folder.
+
+
+
**Browser/UseSharedFolderForBooks**
@@ -2191,7 +2394,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Browser policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index a6d562399b..635f9d4118 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Camera
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Camera policies
Disables or enables the camera.
+
+
+Disables or enables the camera.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -73,7 +75,7 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
Footnote:
@@ -82,7 +84,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Camera policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 86748d5dac..33931f6aa7 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/13/2017
+ms.date: 01/30/2018
---
# Policy CSP - Cellular
@@ -15,7 +15,7 @@ ms.date: 12/13/2017
-
+
## Cellular policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -71,8 +73,8 @@ ms.date: 12/13/2017
-
-
+
+
Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
@@ -87,19 +89,23 @@ If you disable or do not configure this policy setting, employees in your organi
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.”
-Suported values:
+
+
+The following list shows the supported values:
- 0 - User is in control
- 1 - Force Allow
- 2 - Force Deny
-
-
+
+
+
-
+
+
**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps**
-
+
Home
@@ -121,8 +127,8 @@ Suported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -130,17 +136,19 @@ Suported values:
-
-
+
+
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
-
-
+
+
+
-
+
+
**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps**
-
+
Home
@@ -162,8 +170,8 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -171,17 +179,19 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
-
-
+
+
+
-
+
+
**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps**
-
+
Home
@@ -203,8 +213,8 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -212,17 +222,19 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
-
-
+
+
+
-
+
+
**Cellular/ShowAppCellularAccessUI**
-
+
Home
@@ -244,8 +256,8 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -253,8 +265,8 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX.
If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page.
@@ -266,7 +278,7 @@ Supported values:
- 0 - Hide
- 1 - Show
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -274,15 +286,15 @@ Supported values:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set Per-App Cellular Access UI Visibility*
- GP name: *ShowAppCellularAccessUI*
- GP path: *Network/WWAN Service/WWAN UI Settings*
- GP ADMX file name: *wwansvc.admx*
-
-
+
+
Footnote:
@@ -291,7 +303,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Cellular policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 8fd44f2053..df9e662f31 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Connectivity
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Connectivity policies
Allows the user to enable Bluetooth or restrict access.
+
+
+Allows the user to enable Bluetooth or restrict access.
> [!NOTE]
> This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.
-- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
+If this is not set or it is deleted, the default value of 2 (Allow) is used.
-
If this is not set or it is deleted, the default value of 2 (Allow) is used.
+Most restricted value is 0.
-
Most restricted value is 0.
-
-
+
The following list shows the supported values:
- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
+- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
-
+
+
-
+
+
**Connectivity/AllowCellularData**
-
+
Home
@@ -146,8 +149,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -155,23 +158,27 @@ The following list shows the supported values:
-
-
-
Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
+
+
+Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Do not allow the cellular data channel. The user cannot turn it on. This value is not supported in Windows 10, version 1511.
- 1 (default) – Allow the cellular data channel. The user can turn it off.
- 2 - Allow the cellular data channel. The user cannot turn it off.
-
-
+
+
+
@@ -193,8 +200,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -202,33 +209,39 @@ The following list shows the supported values:
-
-
-
Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
+
+
+Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
-
The following list shows the supported values:
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511.
- 1 (default) – Allow cellular data roaming.
- 2 - Allow cellular data roaming on. The user cannot turn it off.
-
Most restricted value is 0.
+
+
+To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
-
To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
-
-
To validate on mobile devices, do the following:
+To validate on mobile devices, do the following:
1. Go to Cellular & SIM.
2. Click on the SIM (next to the signal strength icon) and select **Properties**.
3. On the Properties page, select **Data roaming options**.
-
-
+
+
+
-
+
+
**Connectivity/AllowConnectedDevices**
-
+
Home
@@ -250,8 +263,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -259,14 +272,14 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
+Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
-
+
The following list shows the supported values:
@@ -274,12 +287,14 @@ The following list shows the supported values:
- 0 - Disable (CDP service not available).
-
+
+
-
+
+
**Connectivity/AllowNFC**
-
+
Home
@@ -301,8 +316,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -310,17 +325,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Allows or disallows near field communication (NFC) on the device.
+Allows or disallows near field communication (NFC) on the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -328,12 +343,14 @@ The following list shows the supported values:
- 1 (default) – Allow NFC capabilities.
-
+
+
-
+
+
**Connectivity/AllowUSBConnection**
-
+
Home
@@ -355,8 +372,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -364,19 +381,19 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
+Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
-
Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
+Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -384,12 +401,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Connectivity/AllowVPNOverCellular**
-
+
Home
@@ -411,8 +430,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -420,13 +439,13 @@ The following list shows the supported values:
-
-
-
Specifies what type of underlying connections VPN is allowed to use.
+
+
+Specifies what type of underlying connections VPN is allowed to use.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -434,12 +453,14 @@ The following list shows the supported values:
- 1 (default) – VPN can use any connection, including cellular.
-
+
+
@@ -461,8 +482,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -470,13 +491,13 @@ The following list shows the supported values:
-
-
-
Prevents the device from connecting to VPN when the device roams over cellular networks.
+
+
+Prevents the device from connecting to VPN when the device roams over cellular networks.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -484,12 +505,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Connectivity/DiablePrintingOverHTTP**
-
+
Home
@@ -511,8 +534,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -520,10 +543,10 @@ The following list shows the supported values:
-
-
+
+
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -531,20 +554,22 @@ The following list shows the supported values:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
-
+
+
+
-
+
+
**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
-
+
Home
@@ -566,8 +591,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -575,10 +600,10 @@ ADMX Info:
-
-
+
+
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -586,20 +611,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
-
+
+
+
-
+
+
**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
-
+
Home
@@ -621,8 +648,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -630,10 +657,10 @@ ADMX Info:
-
-
+
+
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -641,20 +668,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
-
+
+
+
-
+
+
**Connectivity/DisallowNetworkConnectivityActiveTests**
-
+
Home
@@ -676,8 +705,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -685,19 +714,21 @@ ADMX Info:
-
-
+
+
Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com.
Value type is integer.
-
-
+
+
+
-
+
+
**Connectivity/HardenedUNCPaths**
-
+
Home
@@ -719,8 +750,8 @@ Value type is integer.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -728,13 +759,13 @@ Value type is integer.
-
-
+
+
This policy setting configures secure access to UNC paths.
If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -742,20 +773,22 @@ If you enable this policy, Windows only allows access to the specified UNC paths
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
- GP path: *Network/Network Provider*
- GP ADMX file name: *networkprovider.admx*
-
-
+
+
+
-
+
+
**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
-
+
Home
@@ -777,8 +810,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -786,10 +819,10 @@ ADMX Info:
-
-
+
+
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -797,15 +830,15 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
- GP path: *Network/Network Connections*
- GP ADMX file name: *NetworkConnections.admx*
-
-
+
+
Footnote:
@@ -814,7 +847,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Connectivity policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index c628f5e912..d4124e950a 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/11/2018
+ms.date: 01/30/2018
---
# Policy CSP - ControlPolicyConflict
@@ -17,7 +17,7 @@ ms.date: 01/11/2018
-
+
## ControlPolicyConflict policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -61,8 +63,8 @@ ms.date: 01/11/2018
-
-
+
+
Added in Windows 10, next major update. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device.
This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. The default value is 0. In next major update, the MDM policies in Policy CSP will behave as described if this policy value is set 1.
@@ -73,22 +75,15 @@ The policy should be set at every sync to ensure the device removes any settings
- The current Policy Manager policies are refreshed from what MDM has set
- Any values set by scripts/user outside of GP that conflict with MDM are removed
-
+
The following list shows the supported values:
- 0 (default)
- 1 - The MDM policy is used and the GP policy is blocked.
-
-
-
-
-
-
-
-
+
Footnote:
@@ -97,5 +92,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 8db7adb8b4..8994842055 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - CredentialProviders
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## CredentialProviders policies
@@ -30,11 +30,13 @@ ms.date: 12/14/2017
+
-
+
+
**CredentialProviders/AllowPINLogon**
-
+
Home
@@ -56,8 +58,8 @@ ms.date: 12/14/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,8 +67,8 @@ ms.date: 12/14/2017
-
-
+
+
This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
@@ -77,7 +79,7 @@ Note: The user's domain password will be cached in the system vault when using t
To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -85,20 +87,22 @@ To configure Windows Hello for Business, use the Administrative Template policie
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on convenience PIN sign-in*
- GP name: *AllowDomainPINLogon*
- GP path: *System/Logon*
- GP ADMX file name: *credentialproviders.admx*
-
-
+
+
+
-
+
+
**CredentialProviders/BlockPicturePassword**
-
+
Home
@@ -120,8 +124,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -129,8 +133,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to control whether a domain user can sign in using a picture password.
If you enable this policy setting, a domain user can't set up or sign in with a picture password.
@@ -139,7 +143,7 @@ If you disable or don't configure this policy setting, a domain user can set up
Note that the user's domain password will be cached in the system vault when using this feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -147,20 +151,22 @@ Note that the user's domain password will be cached in the system vault when usi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off picture password sign-in*
- GP name: *BlockDomainPicturePassword*
- GP path: *System/Logon*
- GP ADMX file name: *credentialproviders.admx*
-
-
+
+
+
-
+
+
**CredentialProviders/DisableAutomaticReDeploymentCredentials**
-
+
Home
@@ -182,8 +188,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -191,13 +197,13 @@ ADMX Info:
-
-
+
+
Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
-
+
The following list shows the supported values:
@@ -205,7 +211,7 @@ The following list shows the supported values:
- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
-
+
Footnote:
@@ -214,7 +220,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## CredentialProviders policies supported by IoT Core
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 6a2a7950a3..869f016e13 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - CredentialsUI
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## CredentialsUI policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -63,8 +65,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
@@ -75,7 +77,7 @@ By default, the password reveal button is displayed after a user types a passwor
The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -83,20 +85,22 @@ The policy applies to all Windows components and applications that use the Windo
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not display the password reveal button*
- GP name: *DisablePasswordReveal*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
-
-
+
+
+
-
+
+
**CredentialsUI/EnumerateAdministrators**
-
+
Home
@@ -118,8 +122,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -127,15 +131,15 @@ ADMX Info:
-
-
+
+
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
If you disable this policy setting, users will always be required to type a user name and password to elevate.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -143,15 +147,15 @@ If you disable this policy setting, users will always be required to type a user
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enumerate administrator accounts on elevation*
- GP name: *EnumerateAdministrators*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
-
-
+
+
Footnote:
@@ -160,5 +164,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index e65cf59e9f..81023d5fdd 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Cryptography
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Cryptography policies
Allows or disallows the Federal Information Processing Standard (FIPS) policy.
+
+
+Allows or disallows the Federal Information Processing Standard (FIPS) policy.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Not allowed.
- 1– Allowed.
-
-
+
+
+
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
+
+
+Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
-
-
+
+
Footnote:
@@ -122,7 +128,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Cryptography policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 5a2461e9cb..1563402e93 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - DataProtection
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## DataProtection policies
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
+
+
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -76,12 +78,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -103,8 +107,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -112,19 +116,19 @@ The following list shows the supported values:
-
-
+
+
> [!IMPORTANT]
> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
-
Setting used by Windows 8.1 Selective Wipe.
+Setting used by Windows 8.1 Selective Wipe.
> [!NOTE]
> This policy is not recommended for use in Windows 10.
-
-
+
+
Footnote:
@@ -133,7 +137,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## DataProtection policies supported by IoT Core
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index b9d3a22ccc..9d64360b36 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - DataUsage
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## DataUsage policies
@@ -27,11 +27,13 @@ ms.date: 11/01/2017
+
-
+
+
**DataUsage/SetCost3G**
-
+
Home
@@ -53,8 +55,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -62,8 +64,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting configures the cost of 3G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
@@ -76,7 +78,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -84,20 +86,22 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set 3G Cost*
- GP name: *SetCost3G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
-
-
+
+
+
-
+
+
**DataUsage/SetCost4G**
-
+
Home
@@ -119,8 +123,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -128,8 +132,8 @@ ADMX Info:
-
-
+
+
This policy setting configures the cost of 4G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
@@ -142,7 +146,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -150,15 +154,15 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set 4G Cost*
- GP name: *SetCost4G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
-
-
+
+
Footnote:
@@ -167,5 +171,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 030df27006..6dcfb31902 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Defender
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Defender policies
@@ -126,11 +126,13 @@ ms.date: 11/01/2017
+
-
+
+
**Defender/AllowArchiveScanning**
-
+
Home
@@ -152,8 +154,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -161,26 +163,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows scanning of archives.
+Allows or disallows scanning of archives.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowBehaviorMonitoring**
-
+
Home
@@ -202,8 +208,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -211,26 +217,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender Behavior Monitoring functionality.
+Allows or disallows Windows Defender Behavior Monitoring functionality.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowCloudProtection**
-
+
Home
@@ -252,8 +262,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -261,26 +271,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
+To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowEmailScanning**
-
+
Home
@@ -302,8 +316,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -311,26 +325,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows scanning of email.
+Allows or disallows scanning of email.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Not allowed.
- 1 – Allowed.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -361,26 +379,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows a full scan of mapped network drives.
+Allows or disallows a full scan of mapped network drives.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Not allowed.
- 1 – Allowed.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -411,26 +433,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows a full scan of removable drives.
+Allows or disallows a full scan of removable drives.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowIOAVProtection**
-
+
Home
@@ -452,8 +478,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -461,26 +487,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender IOAVP Protection functionality.
+Allows or disallows Windows Defender IOAVP Protection functionality.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -511,26 +541,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender Intrusion Prevention functionality.
+Allows or disallows Windows Defender Intrusion Prevention functionality.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowOnAccessProtection**
-
+
Home
@@ -552,8 +586,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -561,26 +595,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender On Access Protection functionality.
+Allows or disallows Windows Defender On Access Protection functionality.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowRealtimeMonitoring**
-
+
Home
@@ -602,8 +640,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -611,26 +649,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender Realtime Monitoring functionality.
+Allows or disallows Windows Defender Realtime Monitoring functionality.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowScanningNetworkFiles**
-
+
Home
@@ -652,8 +694,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -661,26 +703,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows a scanning of network files.
+Allows or disallows a scanning of network files.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowScriptScanning**
-
+
Home
@@ -702,8 +748,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -711,26 +757,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender Script Scanning functionality.
+Allows or disallows Windows Defender Script Scanning functionality.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowUserUIAccess**
-
+
Home
@@ -752,8 +802,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -761,26 +811,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
+Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -811,23 +865,25 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..
+Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..
-
Value type is string.
+Value type is string.
+
+
+
-
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -858,25 +914,27 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
+Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
-
For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
+For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
-
Value type is string.
+Value type is string.
+
+
+
-
-
-
+
+
**Defender/AvgCPULoadFactor**
-
+
Home
@@ -898,8 +956,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -907,25 +965,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Represents the average CPU load factor for the Windows Defender scan (in percent).
+Represents the average CPU load factor for the Windows Defender scan (in percent).
-
Valid values: 0–100
-
The default value is 50.
+The default value is 50.
+
+
+
+Valid values: 0–100
+
+
+
-
-
-
+
+
**Defender/CloudBlockLevel**
-
+
Home
@@ -947,8 +1010,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -956,35 +1019,39 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
+Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
-
If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
+If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
-
For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
+For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
> [!Note]
-> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
+> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
-
Possible options are:
+
+
+The following list shows the supported values:
-- (0x0) Default windows defender blocking level
-- (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
-- (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance)
-- (0x6) Zero tolerance blocking level – block all unknown executables
+- 0x0 - Default windows defender blocking level
+- 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
+- 0x4 - High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance)
+- 0x6 - Zero tolerance blocking level – block all unknown executables
+
+
+
-
-
-
+
+
**Defender/CloudExtendedTimeout**
-
+
Home
@@ -1006,8 +1073,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1015,27 +1082,29 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
+Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
-
The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
+The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
-
For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
+For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
> [!Note]
> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1066,20 +1135,22 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
-
Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
+Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
+
+
+
-
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1110,20 +1181,22 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
-
Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+
+
+
-
-
-
+
+
**Defender/DaysToRetainCleanedMalware**
-
+
Home
@@ -1145,8 +1218,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1154,25 +1227,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Time period (in days) that quarantine items will be stored on the system.
+Time period (in days) that quarantine items will be stored on the system.
-
Valid values: 0–90
-
The default value is 0, which keeps items in quarantine, and does not automatically remove them.
+The default value is 0, which keeps items in quarantine, and does not automatically remove them.
+
+
+
+Valid values: 0–90
+
+
+
-
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1203,24 +1281,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.
-
Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
+Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
+
+
+
+The following list shows the supported values:
- 0 (default) - Disabled
- 1 - Enabled
- 2 - Audit Mode
-
-
+
+
+
-
+
+
**Defender/EnableNetworkProtection**
-
+
Home
@@ -1242,8 +1326,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1251,32 +1335,36 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
-
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
-
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
-
If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.
-
If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center.
-
If you do not configure this policy, network blocking will be disabled by default.
+If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
+If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
+If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.
+If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center.
+If you do not configure this policy, network blocking will be disabled by default.
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1307,21 +1395,23 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
+Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
+
+
+
-
-
-
+
+
**Defender/ExcludedPaths**
-
+
Home
@@ -1343,8 +1433,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1352,21 +1442,23 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
+Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
+
+
+
-
-
-
+
+
**Defender/ExcludedProcesses**
-
+
Home
@@ -1388,8 +1480,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1397,27 +1489,29 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows an administrator to specify a list of files opened by processes to ignore during a scan.
+Allows an administrator to specify a list of files opened by processes to ignore during a scan.
> [!IMPORTANT]
> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path.
-
Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
+Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
+
+
+
-
-
-
+
+
**Defender/PUAProtection**
-
+
Home
@@ -1439,8 +1533,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1448,27 +1542,31 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
+Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
-
-
+
+
+
-
+
+
**Defender/RealTimeScanDirection**
-
+
Home
@@ -1490,8 +1588,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1499,31 +1597,34 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Controls which sets of files should be monitored.
+Controls which sets of files should be monitored.
> [!NOTE]
> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files.
-
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Monitor all files (bi-directional).
- 1 – Monitor incoming files.
- 2 – Monitor outgoing files.
-
-
+
+
+
-
+
+
**Defender/ScanParameter**
-
+
Home
@@ -1545,8 +1646,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1554,26 +1655,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Selects whether to perform a quick scan or full scan.
+Selects whether to perform a quick scan or full scan.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 1 (default) – Quick scan
- 2 – Full scan
-
-
+
+
+
-
+
+
**Defender/ScheduleQuickScanTime**
-
+
Home
@@ -1595,8 +1700,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1604,31 +1709,36 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Selects the time of day that the Windows Defender quick scan should run.
+Selects the time of day that the Windows Defender quick scan should run.
> [!NOTE]
> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
Valid values: 0–1380
-
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
+For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
The default value is 120
+The default value is 120
+
+
+
+Valid values: 0–1380
+
+
+
-
-
-
+
+
**Defender/ScheduleScanDay**
-
+
Home
@@ -1650,8 +1760,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1659,19 +1769,20 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Selects the day that the Windows Defender scan should run.
+Selects the day that the Windows Defender scan should run.
> [!NOTE]
> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Every day
- 1 – Monday
@@ -1683,13 +1794,15 @@ ms.date: 11/01/2017
- 7 – Sunday
- 8 – No scheduled scan
-
-
+
+
+
-
+
+
**Defender/ScheduleScanTime**
-
+
Home
@@ -1711,8 +1824,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1720,31 +1833,36 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Selects the time of day that the Windows Defender scan should run.
+Selects the time of day that the Windows Defender scan should run.
> [!NOTE]
> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
Valid values: 0–1380.
-
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
+For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
The default value is 120.
+The default value is 120.
+
+
+
+Valid values: 0–1380.
+
+
+
-
-
-
+
+
**Defender/SignatureUpdateInterval**
-
+
Home
@@ -1766,8 +1884,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1775,27 +1893,32 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.
+Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.
-
Valid values: 0–24.
-
A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.
+A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.
-
The default value is 8.
+The default value is 8.
+
+
+
+Valid values: 0–24.
+
+
+
-
-
-
+
+
**Defender/SubmitSamplesConsent**
-
+
Home
@@ -1817,8 +1940,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1826,28 +1949,32 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
+Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Always prompt.
- 1 (default) – Send safe samples automatically.
- 2 – Never send.
- 3 – Send all samples automatically.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1878,24 +2005,24 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
+Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
-
This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
+This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
-
The following list shows the supported values for threat severity levels:
+The following list shows the supported values for threat severity levels:
- 1 – Low severity threats
- 2 – Moderate severity threats
- 4 – High severity threats
- 5 – Severe threats
-
The following list shows the supported values for possible actions:
+The following list shows the supported values for possible actions:
- 1 – Clean
- 2 – Quarantine
@@ -1904,8 +2031,8 @@ ms.date: 11/01/2017
- 8 – User defined
- 10 – Block
-
-
+
+
Footnote:
@@ -1914,7 +2041,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Defender policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index c369584fc8..d05d2cedb0 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 01/30/2018
---
# Policy CSP - DeliveryOptimization
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## DeliveryOptimization policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -130,23 +132,25 @@ ms.date: 01/03/2018
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
+Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
-
The default value is 10.
+The default value is 10.
+
+
+
-
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -177,15 +181,15 @@ ms.date: 01/03/2018
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
-
+
The following list shows the supported values:
@@ -193,12 +197,14 @@ The following list shows the supported values:
- 1 - Allowed.
-
+
+
@@ -220,8 +226,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -229,28 +235,21 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, next major update. This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600).
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**DeliveryOptimization/DODelayForegroundDownloadFromHttp**
-
+
Home
@@ -272,8 +271,8 @@ After the max delay is reached, the download will resume using HTTP, either down
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -281,8 +280,8 @@ After the max delay is reached, the download will resume using HTTP, either down
-
-
+
+
Added in Windows 10, next major update. This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
@@ -291,26 +290,23 @@ Note that a download that is waiting for peer sources, will appear to be stuck f
The recommended value is 1 minute (60).
-
+
The following list shows the supported values as number of seconds:
- 0 to 86400 (1 day)
- 0 - managed by the cloud service
- Default is not configured.
+
-
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DODownloadMode**
-
+
Home
@@ -332,8 +328,8 @@ The following list shows the supported values as number of seconds:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -341,15 +337,15 @@ The following list shows the supported values as number of seconds:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
+Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
-
+
The following list shows the supported values:
@@ -361,12 +357,14 @@ The following list shows the supported values:
- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
-
+
+
-
+
+
**DeliveryOptimization/DOGroupId**
-
+
Home
@@ -388,8 +386,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -397,24 +395,26 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
+This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
> [!NOTE]
> You must use a GUID as the group ID.
-
-
+
+
+
@@ -436,8 +436,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -445,8 +445,8 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, next major update. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix
When set, the Group ID will be assigned automatically from the selected source.
@@ -457,7 +457,7 @@ The options set in this policy only apply to Group (2) download mode. If Group (
For option 4 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
-
+
The following list shows the supported values:
@@ -465,19 +465,16 @@ The following list shows the supported values:
- 2 - Authenticated domain SID
- 3 - DHCP user option
- 4 - DNS suffix
+
-
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DOMaxCacheAge**
-
+
Home
@@ -499,8 +496,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -508,23 +505,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
-
The default value is 259200 seconds (3 days).
+The default value is 259200 seconds (3 days).
+
+
+
-
-
-
+
+
**DeliveryOptimization/DOMaxCacheSize**
-
+
Home
@@ -546,8 +545,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -555,23 +554,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
-
The default value is 20.
+The default value is 20.
+
+
+
-
-
@@ -593,8 +594,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -602,23 +603,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
+Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
-
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+
+
-
-
@@ -640,8 +643,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -649,23 +652,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
+Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
-
The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
+The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
+
+
+
-
-
@@ -687,8 +692,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -696,23 +701,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
+Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
-
The default value is 500.
+The default value is 500.
+
+
+
-
-
@@ -734,8 +741,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -743,22 +750,24 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
+Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
-
The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
+The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
+
+
+
-
-
@@ -780,8 +789,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -789,26 +798,28 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
+Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
> [!NOTE]
> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
-
The default value is 32 GB.
+The default value is 32 GB.
+
+
+
-
-
@@ -830,8 +841,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -839,23 +850,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
+Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
-
The default value is 100 MB.
+The default value is 100 MB.
+
+
+
-
-
@@ -877,8 +890,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -886,23 +899,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
+Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
-
The default value is 4 GB.
+The default value is 4 GB.
+
+
+
-
-
@@ -924,8 +939,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -933,23 +948,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
+Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
-
By default, %SystemDrive% is used to store the cache.
+By default, %SystemDrive% is used to store the cache.
+
+
+
-
-
@@ -971,8 +988,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -980,25 +997,27 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
+Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
-
The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
+The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
-
The default value is 20.
+The default value is 20.
+
+
+
-
-
@@ -1020,8 +1039,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1029,36 +1048,32 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, next major update. Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
-
-
-
-
+
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
-
+
This policy is deprecated. Use [DOPercentageMaxForeDownloadBandwidth](#deliveryoptimization-dopercentagemaxforedownloadbandwidth) and [DOPercentageMaxBackDownloadBandwidth](#deliveryoptimization-dopercentagemaxbackdownloadbandwidth) policies instead.
-
-
+
+
+
-
+
+
**DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth**
-
+
Home
@@ -1080,8 +1095,8 @@ This policy is deprecated. Use [DOPercentageMaxForeDownloadBandwidth](#deliveryo
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1089,27 +1104,21 @@ This policy is deprecated. Use [DOPercentageMaxForeDownloadBandwidth](#deliveryo
-
-
+
+
Added in Windows 10, next major update. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
-
-
-
-
+
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DORestrictPeerSelectionBy**
-
+
Home
@@ -1131,8 +1140,8 @@ Note that downloads from LAN peers will not be throttled even when this policy i
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1140,32 +1149,28 @@ Note that downloads from LAN peers will not be throttled even when this policy i
-
-
+
+
Added in Windows 10, next major update. Set this policy to restrict peer selection via selected option.
Options available are: 1=Subnet mask (more options will be added in a future release).
Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2).
-
+
The following list shows the supported values:
- 1 - Subnet mask.
-
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth**
-
+
Home
@@ -1187,8 +1192,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1196,31 +1201,29 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, next major update. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
Note that downloads from LAN peers will not be throttled even when this policy is set.
-
+
+
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for foreground traffic during business hours
- % of throttle for foreground traffic outside of business hours
+
-
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth**
-
+
Home
@@ -1242,8 +1245,8 @@ This policy allows an IT Admin to define the following:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1251,26 +1254,22 @@ This policy allows an IT Admin to define the following:
-
-
+
+
Added in Windows 10, next major update. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
Note that downloads from LAN peers will not be throttled even when this policy is set.
-
+
+
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for foreground traffic during business hours
- % of throttle for foreground traffic outside of business hours
+
-
-
-
-
-
-
-
+
Footnote:
@@ -1279,7 +1278,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## DeliveryOptimization policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 048304c12e..56fcae51f5 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Desktop
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Desktop policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -59,15 +61,15 @@ ms.date: 11/01/2017
-
-
+
+
Prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
If you enable this setting, users are unable to type a new location in the Target box.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -75,15 +77,15 @@ If you enable this setting, users are unable to type a new location in the Targe
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prohibit User from manually redirecting Profile Folders*
- GP name: *DisablePersonalDirChange*
- GP path: *Desktop*
- GP ADMX file name: *desktop.admx*
-
-
+
+
Footnote:
@@ -92,7 +94,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Desktop policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index 4023eee26c..bde8f4dc65 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - DeviceGuard
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## DeviceGuard policies
Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
+
+
+Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
-
+
The following list shows the supported values:
@@ -78,12 +79,14 @@ The following list shows the supported values:
- 1 - enable virtualization based security.
-
+
+
-
+
+
**DeviceGuard/LsaCfgFlags**
-
+
Home
@@ -105,8 +108,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -114,12 +117,11 @@ The following list shows the supported values:
-
-
-
-
Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
+
+
+Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
-
+
The following list shows the supported values:
@@ -128,12 +130,14 @@ The following list shows the supported values:
- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock.
-
+
+
@@ -155,8 +159,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -164,13 +168,11 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer.
-
-
-
+
The following list shows the supported values:
@@ -178,7 +180,7 @@ The following list shows the supported values:
- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
-
+
Footnote:
@@ -187,5 +189,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 7e7740810a..5813ea9ecb 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - DeviceInstallation
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## DeviceInstallation policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -62,15 +64,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -78,20 +80,22 @@ If you disable or do not configure this policy setting, devices can be installed
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent installation of devices that match any of these device IDs*
- GP name: *DeviceInstall_IDs_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
-
-
+
+
+
-
+
+
**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
-
+
Home
@@ -113,8 +117,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -122,15 +126,15 @@ ADMX Info:
-
-
+
+
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -138,15 +142,15 @@ If you disable or do not configure this policy setting, Windows can install and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent installation of devices using drivers that match these device setup classes*
- GP name: *DeviceInstall_Classes_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
-
-
+
+
Footnote:
@@ -155,5 +159,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index b056313e5a..2555067447 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/12/2018
+ms.date: 01/30/2018
---
# Policy CSP - DeviceLock
@@ -17,7 +17,7 @@ ms.date: 01/12/2018
-
+
## DeviceLock policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -109,18 +111,18 @@ ms.date: 01/12/2018
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether the user must input a PIN or password when the device resumes from an idle state.
+Specifies whether the user must input a PIN or password when the device resumes from an idle state.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
+
The following list shows the supported values:
@@ -128,12 +130,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -155,8 +159,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -164,33 +168,38 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
+Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
> [!IMPORTANT]
> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period.
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1 – Allowed.
+
+
+
+
@@ -212,8 +221,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -221,28 +230,33 @@ The following list shows the supported values:
-
-
-
Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
+
+
+Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
-
-
@@ -264,8 +278,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -273,9 +287,9 @@ The following list shows the supported values:
-
-
-
Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
+
+
+Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
@@ -283,26 +297,29 @@ The following list shows the supported values:
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education).
-
The following list shows the supported values:
-
-- 0 – Alphanumeric PIN or password required.
-- 1 – Numeric PIN or password required.
-- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
> [!NOTE]
> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
>
> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
-
+
+
+The following list shows the supported values:
+
+- 0 – Alphanumeric PIN or password required.
+- 1 – Numeric PIN or password required.
+- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
+
+
+
-
-
-
+
+
**DeviceLock/DevicePasswordEnabled**
-
+
Home
@@ -324,8 +341,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -333,9 +350,9 @@ The following list shows the supported values:
-
-
-
Specifies whether device lock is enabled.
+
+
+Specifies whether device lock is enabled.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
@@ -343,10 +360,6 @@ The following list shows the supported values:
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
The following list shows the supported values:
-
-- 0 (default) – Enabled
-- 1 – Disabled
> [!IMPORTANT]
> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
@@ -382,13 +395,22 @@ The following list shows the supported values:
> - MaxDevicePasswordFailedAttempts
> - MaxInactivityTimeDeviceLock
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – Enabled
+- 1 – Disabled
+
+
+
+
-
+
+
**DeviceLock/DevicePasswordExpiration**
-
+
Home
@@ -410,8 +432,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -419,30 +441,35 @@ The following list shows the supported values:
-
-
-
Specifies when the password expires (in days).
+
+
+Specifies when the password expires (in days).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
+
+If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- An integer X where 0 <= X <= 730.
- 0 (default) - Passwords do not expire.
-
If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
+
+
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
-
+
+
**DeviceLock/DevicePasswordHistory**
-
+
Home
@@ -464,8 +491,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -473,32 +500,37 @@ The following list shows the supported values:
-
-
-
Specifies how many passwords can be stored in the history that can’t be used.
+
+
+Specifies how many passwords can be stored in the history that can’t be used.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
+
+The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
+
+Max policy value is the most restricted.
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- An integer X where 0 <= X <= 50.
- 0 (default)
-
The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
+
+
-
Max policy value is the most restricted.
-
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
@@ -520,8 +552,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -529,23 +561,25 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
+
+
+Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
> [!NOTE]
> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
-
Value type is a string, which is the full image filepath and filename.
+Value type is a string, which is the full image filepath and filename.
+
+
+
-
-
@@ -567,8 +601,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -576,23 +610,25 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
+
+
+Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
> [!NOTE]
> This policy is only enforced in Windows 10 for mobile devices.
-
Value type is a string, which is the AppID.
+Value type is a string, which is the AppID.
+
+
+
-
-
@@ -614,8 +650,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -623,37 +659,42 @@ The following list shows the supported values:
-
-
+
+
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
This policy has different behaviors on the mobile device and desktop.
+This policy has different behaviors on the mobile device and desktop.
- On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
-
The following list shows the supported values:
+
+Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices.
- 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
-
Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
+
+
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
@@ -675,8 +716,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -684,28 +725,33 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
+
+
+Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- An integer X where 0 <= X <= 999.
- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
-
-
@@ -727,8 +773,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -736,26 +782,29 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
+
+
+Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- An integer X where 0 <= X <= 999.
- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
-
-
+
+
+
@@ -777,8 +826,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -786,23 +835,23 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
+
+
+The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
PIN enforces the following behavior for desktop and mobile devices:
+PIN enforces the following behavior for desktop and mobile devices:
- 1 - Digits only
- 2 - Digits and lowercase letters are required
- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts.
- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop.
-
The default value is 1. The following list shows the supported values and actual enforced values:
+The default value is 1. The following list shows the supported values and actual enforced values:
@@ -843,7 +892,7 @@ The number of authentication failures allowed before the device will be wiped. A
-
Enforced values for Local and Microsoft Accounts:
+Enforced values for Local and Microsoft Accounts:
- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
- Passwords for local accounts must meet the following minimum requirements:
@@ -857,17 +906,19 @@ The number of authentication failures allowed before the device will be wiped. A
- Base 10 digits (0 through 9)
- Special characters (!, $, \#, %, etc.)
-
The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
+The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+
+
-
-
-
+
+
**DeviceLock/MinDevicePasswordLength**
-
+
Home
@@ -889,8 +940,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -898,9 +949,9 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
Specifies the minimum number or characters required in the PIN or password.
+
+
+Specifies the minimum number or characters required in the PIN or password.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
@@ -908,23 +959,28 @@ The number of authentication failures allowed before the device will be wiped. A
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
The following list shows the supported values:
+
+Max policy value is the most restricted.
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+
+
+The following list shows the supported values:
- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6.
- Not enforced.
- The default value is 4 for mobile devices and desktop devices.
-
Max policy value is the most restricted.
+
+
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-
-
-
+
+
**DeviceLock/MinimumPasswordAge**
-
+
Home
@@ -946,8 +1002,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -955,30 +1011,23 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**DeviceLock/PreventLockScreenSlideShow**
-
+
Home
@@ -1000,8 +1049,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1009,15 +1058,15 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
-
+
+
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
By default, users can enable a slide show that will run after they lock the machine.
If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1025,20 +1074,22 @@ If you enable this setting, users will no longer be able to modify slide show se
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent enabling lock screen slide show*
- GP name: *CPL_Personalization_NoLockScreenSlideshow*
- GP path: *Control Panel/Personalization*
- GP ADMX file name: *ControlPanelDisplay.admx*
-
-
+
+
+
-
+
+
**DeviceLock/ScreenTimeoutWhileLocked**
-
+
Home
@@ -1060,8 +1111,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1069,23 +1120,23 @@ ADMX Info:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
+Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
-
Minimum supported value is 10.
+Minimum supported value is 10.
-
Maximum supported value is 1800.
+Maximum supported value is 1800.
-
The default value is 10.
+The default value is 10.
-
Most restricted value is 0.
+Most restricted value is 0.
-
-
+
+
Footnote:
@@ -1094,7 +1145,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## DeviceLock policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index b23977c0bc..fbfc7878d5 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Display
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Display policies
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+
+
+GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
-
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
+This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
-
If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-
If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
+If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
-
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
-
To validate on Desktop, do the following:
+
+
+To validate on Desktop, do the following:
1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
2. Run the app and observe blurry text.
-
-
+
+
+
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+
+
+GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
-
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
+This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
-
If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
+If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
-
If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
-
To validate on Desktop, do the following:
+
+
+To validate on Desktop, do the following:
1. Configure the setting for an app which uses GDI.
2. Run the app and observe crisp text.
-
-
+
+
Footnote:
@@ -143,5 +151,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 0b37a6b5c5..3583549ed4 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Education
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Education policies
@@ -30,11 +30,13 @@ ms.date: 12/14/2017
+
-
+
+
**Education/DefaultPrinterName**
-
+
Home
@@ -56,8 +58,8 @@ ms.date: 12/14/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,19 +67,21 @@ ms.date: 12/14/2017
-
-
+
+
Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer.
The policy value is expected to be the name (network host name) of an installed printer.
-
-
+
+
+
-
+
+
**Education/PreventAddingNewPrinters**
-
+
Home
@@ -99,8 +103,8 @@ The policy value is expected to be the name (network host name) of an installed
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -108,11 +112,11 @@ The policy value is expected to be the name (network host name) of an installed
-
-
+
+
Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
-
+
The following list shows the supported values:
@@ -120,12 +124,14 @@ The following list shows the supported values:
- 1 – Prevent user installation.
-
+
+
-
+
+
**Education/PrinterNames**
-
+
Home
@@ -147,8 +153,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -156,14 +162,14 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names).
The policy value is expected to be a `````` seperated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer.
-
-
+
+
Footnote:
@@ -172,5 +178,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 3506a2c3f1..63d4b5f3b2 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - EnterpriseCloudPrint
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## EnterpriseCloudPrint policies
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs".
+The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs".
+
+
+
-
-
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
+The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
+
+
+
-
-
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint".
+The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint".
+
+
+
-
-
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com".
+The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com".
+
+
+
-
-
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
-
The datatype is an integer.
+The datatype is an integer.
-
For Windows Mobile, the default value is 20.
+For Windows Mobile, the default value is 20.
+
+
+
-
-
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint".
+The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint".
-
-
+
+
Footnote:
@@ -317,5 +329,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 67f7bd2d6a..e33bbb0431 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - ErrorReporting
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## ErrorReporting policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -71,8 +73,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
@@ -89,7 +91,7 @@ If you enable this policy setting, you can add specific event types to a list by
If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -97,20 +99,22 @@ If you disable or do not configure this policy setting, then the default consent
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Customize consent settings*
- GP name: *WerConsentCustomize_2*
- GP path: *Windows Components/Windows Error Reporting/Consent*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
+
-
+
+
**ErrorReporting/DisableWindowsErrorReporting**
-
+
Home
@@ -132,8 +136,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -141,15 +145,15 @@ ADMX Info:
-
-
+
+
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -157,20 +161,22 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable Windows Error Reporting*
- GP name: *WerDisable_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
+
-
+
+
**ErrorReporting/DisplayErrorNotification**
-
+
Home
@@ -192,8 +198,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -201,8 +207,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether users are shown an error dialog box that lets them report an error.
If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
@@ -213,7 +219,7 @@ If you do not configure this policy setting, users can change this setting in Co
See also the Configure Error Reporting policy setting.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -221,20 +227,22 @@ See also the Configure Error Reporting policy setting.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Display Error Notification*
- GP name: *PCH_ShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
+
-
+
+
**ErrorReporting/DoNotSendAdditionalData**
-
+
Home
@@ -256,8 +264,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -265,15 +273,15 @@ ADMX Info:
-
-
+
+
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -281,20 +289,22 @@ If you disable or do not configure this policy setting, then consent policy sett
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not send additional data*
- GP name: *WerNoSecondLevelData_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
+
-
+
+
**ErrorReporting/PreventCriticalErrorDisplay**
-
+
Home
@@ -316,8 +326,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -325,15 +335,15 @@ ADMX Info:
-
-
+
+
This policy setting prevents the display of the user interface for critical errors.
If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -341,15 +351,15 @@ If you disable or do not configure this policy setting, Windows Error Reporting
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent display of the user interface for critical errors*
- GP name: *WerDoNotShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
Footnote:
@@ -358,5 +368,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index ea5746021f..10a8c1e6f4 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - EventLogService
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## EventLogService policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -68,8 +70,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
@@ -78,7 +80,7 @@ If you disable or do not configure this policy setting and a log file reaches it
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -86,20 +88,22 @@ Note: Old events may or may not be retained according to the "Backup log automat
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Control Event Log behavior when the log file reaches its maximum size*
- GP name: *Channel_Log_Retention_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
-
-
+
+
+
-
+
+
**EventLogService/SpecifyMaximumFileSizeApplicationLog**
-
+
Home
@@ -121,8 +125,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -130,15 +134,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -146,20 +150,22 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
-
-
+
+
+
-
+
+
**EventLogService/SpecifyMaximumFileSizeSecurityLog**
-
+
Home
@@ -181,8 +187,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -190,15 +196,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -206,20 +212,22 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_2*
- GP path: *Windows Components/Event Log Service/Security*
- GP ADMX file name: *eventlog.admx*
-
-
+
+
+
-
+
+
**EventLogService/SpecifyMaximumFileSizeSystemLog**
-
+
Home
@@ -241,8 +249,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -250,15 +258,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -266,15 +274,15 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_4*
- GP path: *Windows Components/Event Log Service/System*
- GP ADMX file name: *eventlog.admx*
-
-
+
+
Footnote:
@@ -283,5 +291,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 8d3786e647..162e0d9065 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/19/2017
+ms.date: 01/30/2018
---
# Policy CSP - Experience
@@ -17,7 +17,7 @@ ms.date: 12/19/2017
-
+
## Experience policies
@@ -86,11 +86,13 @@ ms.date: 12/19/2017
+
-
+
+
**Experience/AllowCopyPaste**
-
+
Home
@@ -112,8 +114,8 @@ ms.date: 12/19/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -121,16 +123,16 @@ ms.date: 12/19/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether copy and paste is allowed.
+Specifies whether copy and paste is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -138,12 +140,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowCortana**
-
+
Home
@@ -165,8 +169,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -174,13 +178,13 @@ The following list shows the supported values:
-
-
-
Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
+
+
+Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -188,12 +192,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowDeviceDiscovery**
-
+
Home
@@ -215,8 +221,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -224,15 +230,15 @@ The following list shows the supported values:
-
-
-
Allows users to turn on/off device discovery UX.
+
+
+Allows users to turn on/off device discovery UX.
-
When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
+When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -240,12 +246,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowFindMyDevice**
-
+
Home
@@ -267,8 +275,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -276,15 +284,15 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy turns on Find My Device.
+
+
+Added in Windows 10, version 1703. This policy turns on Find My Device.
-
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
+When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
-
When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
+When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
-
+
The following list shows the supported values:
@@ -292,12 +300,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -319,8 +329,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -328,17 +338,17 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect.
+
+
+Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect.
> [!NOTE]
> The MDM server can always remotely delete the account.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -346,12 +356,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -373,8 +385,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -382,15 +394,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether to display dialog prompt when no SIM card is detected.
+Specifies whether to display dialog prompt when no SIM card is detected.
-
+
The following list shows the supported values:
@@ -398,20 +410,25 @@ The following list shows the supported values:
- 1 (default) – SIM card dialog prompt is displayed.
-
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -442,17 +459,17 @@ This policy is deprecated.
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether screen capture is allowed.
+Specifies whether screen capture is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -460,20 +477,25 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -504,11 +526,11 @@ This policy is deprecated.
-
-
-
Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
+
+
+Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
-
+
The following list shows the supported values:
@@ -516,12 +538,14 @@ The following list shows the supported values:
- 1 (default) – Sync settings allowed.
-
+
+
@@ -543,8 +567,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -552,20 +576,20 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
+Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
-
Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
+Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -573,12 +597,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowTaskSwitcher**
-
+
Home
@@ -600,8 +626,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -609,15 +635,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Allows or disallows task switching on the device.
+Allows or disallows task switching on the device.
-
+
The following list shows the supported values:
@@ -625,12 +651,14 @@ The following list shows the supported values:
- 1 (default) – Task switching allowed.
-
+
+
@@ -652,8 +680,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -661,15 +689,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
+Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
-
+
The following list shows the supported values:
@@ -677,12 +705,14 @@ The following list shows the supported values:
- 1 (default) – Third-party suggestions allowed.
-
+
+
-
+
+
**Experience/AllowVoiceRecording**
-
+
Home
@@ -704,8 +734,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -713,17 +743,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether voice recording is allowed for apps.
+Specifies whether voice recording is allowed for apps.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -731,12 +761,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -758,8 +790,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -767,17 +799,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
+This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -785,12 +817,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**Experience/AllowWindowsSpotlight**
-
+
Home
@@ -812,8 +846,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -821,17 +855,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-
Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
+Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -839,12 +873,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -866,8 +902,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -875,16 +911,16 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
+Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -892,12 +928,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -919,8 +957,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -928,17 +966,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
+Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -946,12 +984,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowWindowsTips**
-
+
Home
@@ -973,8 +1013,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -982,11 +1022,11 @@ The following list shows the supported values:
-
-
+
+
Enables or disables Windows Tips / soft landing.
-
+
The following list shows the supported values:
@@ -994,12 +1034,14 @@ The following list shows the supported values:
- 1 (default) – Enabled.
-
+
+
-
+
+
**Experience/ConfigureWindowsSpotlightOnLockScreen**
-
+
Home
@@ -1021,8 +1063,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1030,27 +1072,31 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-
Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
+Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – None.
- 1 (default) – Windows spotlight enabled.
- 2 – placeholder only for future extension. Using this value has no effect.
-
-
+
+
+
@@ -1072,8 +1118,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1081,21 +1127,23 @@ The following list shows the supported values:
-
-
-
Prevents devices from showing feedback questions from Microsoft.
+
+
+Prevents devices from showing feedback questions from Microsoft.
-
If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
+If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
-
If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
+If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
- 1 – Feedback notifications are disabled.
-
-
+
+
Footnote:
@@ -1104,7 +1152,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Experience policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index e165e843f7..f52eb4c227 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - ExploitGuard
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## ExploitGuard policies
Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+
+
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
-
The system settings require a reboot; the application settings do not require a reboot.
+The system settings require a reboot; the application settings do not require a reboot.
-
Here is an example:
+
+
+Here is an example:
``` syntax
@@ -90,8 +94,8 @@ ms.date: 11/01/2017
```
-
-
+
+
Footnote:
@@ -100,5 +104,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 17be10dc9d..2a651204e1 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Games
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Games policies
Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
+
+
+Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
-
+
The following list shows the supported values:
@@ -71,7 +73,7 @@ The following list shows the supported values:
- 1 (default) - Allowed
-
+
Footnote:
@@ -80,5 +82,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 3ca3c0d2bd..c03012e8f2 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Handwriting
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Handwriting policies
Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel.
+
+
+Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel.
-
The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
+The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
-
In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction.
+In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction.
-
The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way.
+The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way.
-
+
The following list shows the supported values:
@@ -77,7 +79,7 @@ The following list shows the supported values:
- 1 - Enabled.
-
+
Footnote:
@@ -86,5 +88,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 88e6a352f7..4e2042350f 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - InternetExplorer
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## InternetExplorer policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -786,15 +788,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -802,20 +804,22 @@ If you disable or do not configure this policy setting, the user can configure t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Add a specific list of search providers to the user's list of search providers*
- GP name: *AddSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowActiveXFiltering**
-
+
Home
@@ -837,8 +841,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -847,15 +851,15 @@ ADMX Info:
-
-
+
+
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.
If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -863,20 +867,22 @@ If you disable or do not configure this policy setting, ActiveX Filtering is not
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on ActiveX Filtering*
- GP name: *TurnOnActiveXFiltering*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowAddOnList**
-
+
Home
@@ -898,8 +904,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -908,8 +914,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.
This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.
@@ -922,7 +928,7 @@ Value - A number indicating whether Internet Explorer should deny or allow the a
If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -930,20 +936,22 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Add-on List*
- GP name: *AddonManagement_AddOnList*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowAutoComplete**
-
+
Home
@@ -965,8 +973,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -974,9 +982,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -984,20 +993,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on the auto-complete feature for user names and passwords on forms*
- GP name: *RestrictFormSuggestPW*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowCertificateAddressMismatchWarning**
-
+
Home
@@ -1019,8 +1030,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1029,9 +1040,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1039,20 +1051,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on certificate address mismatch warning*
- GP name: *IZ_PolicyWarnCertMismatch*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowDeletingBrowsingHistoryOnExit**
-
+
Home
@@ -1074,8 +1088,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1084,9 +1098,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1094,20 +1109,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow deleting browsing history on exit*
- GP name: *DBHDisableDeleteOnExit*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowEnhancedProtectedMode**
-
+
Home
@@ -1129,8 +1146,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1139,8 +1156,8 @@ ADMX Info:
-
-
+
+
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
@@ -1149,7 +1166,7 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off.
If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1157,20 +1174,22 @@ If you do not configure this policy, users will be able to turn on or turn off E
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Enhanced Protected Mode*
- GP name: *Advanced_EnableEnhancedProtectedMode*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowEnterpriseModeFromToolsMenu**
-
+
Home
@@ -1192,8 +1211,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1202,15 +1221,15 @@ ADMX Info:
-
-
+
+
This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.
If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1218,20 +1237,22 @@ If you disable or don't configure this policy setting, the menu option won't app
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Let users turn on and use Enterprise Mode from the Tools menu*
- GP name: *EnterpriseModeEnable*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowEnterpriseModeSiteList**
-
+
Home
@@ -1253,8 +1274,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1263,15 +1284,15 @@ ADMX Info:
-
-
+
+
This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.
If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.
If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1279,20 +1300,22 @@ If you disable or don't configure this policy setting, Internet Explorer opens a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use the Enterprise Mode IE website list*
- GP name: *EnterpriseModeSiteList*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowFallbackToSSL3**
-
+
Home
@@ -1314,8 +1337,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1323,9 +1346,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1333,20 +1357,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow fallback to SSL 3.0 (Internet Explorer)*
- GP name: *Advanced_EnableSSL3Fallback*
- GP path: *Windows Components/Internet Explorer/Security Features*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowInternetExplorer7PolicyList**
-
+
Home
@@ -1368,8 +1394,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1378,15 +1404,15 @@ ADMX Info:
-
-
+
+
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.
If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.
If you disable or do not configure this policy setting, the user can add and remove sites from the list.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1394,20 +1420,22 @@ If you disable or do not configure this policy setting, the user can add and rem
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Policy List of Internet Explorer 7 sites*
- GP name: *CompatView_UsePolicyList*
- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowInternetExplorerStandardsMode**
-
+
Home
@@ -1429,8 +1457,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1439,8 +1467,8 @@ ADMX Info:
-
-
+
+
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.
@@ -1449,7 +1477,7 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer
If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1457,20 +1485,22 @@ If you do not configure this policy setting, Internet Explorer uses an Internet
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Internet Explorer Standards Mode for local intranet*
- GP name: *CompatView_IntranetSites*
- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowInternetZoneTemplate**
-
+
Home
@@ -1492,8 +1522,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1502,8 +1532,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1516,7 +1546,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1524,20 +1554,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowIntranetZoneTemplate**
-
+
Home
@@ -1559,8 +1591,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1569,8 +1601,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1583,7 +1615,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1591,20 +1623,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLocalMachineZoneTemplate**
-
+
Home
@@ -1626,8 +1660,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1636,8 +1670,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1650,7 +1684,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1658,20 +1692,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLockedDownInternetZoneTemplate**
-
+
Home
@@ -1693,8 +1729,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1703,8 +1739,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1717,7 +1753,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1725,20 +1761,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLockedDownIntranetZoneTemplate**
-
+
Home
@@ -1760,8 +1798,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1770,8 +1808,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1784,7 +1822,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1792,20 +1830,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate**
-
+
Home
@@ -1827,8 +1867,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1837,8 +1877,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1851,7 +1891,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1859,20 +1899,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate**
-
+
Home
@@ -1894,8 +1936,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1904,8 +1946,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1918,7 +1960,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1926,20 +1968,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowOneWordEntry**
-
+
Home
@@ -1961,8 +2005,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1971,15 +2015,15 @@ ADMX Info:
-
-
+
+
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.
If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.
If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1987,20 +2031,22 @@ If you disable or do not configure this policy setting, Internet Explorer does n
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Go to an intranet site for a one-word entry in the Address bar*
- GP name: *UseIntranetSiteForOneWordEntry*
- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowSiteToZoneAssignmentList**
-
+
Home
@@ -2022,8 +2068,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2032,8 +2078,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
@@ -2046,7 +2092,7 @@ Value - A number indicating the zone with which this site should be associated f
If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2054,20 +2100,22 @@ If you disable or do not configure this policy, users may choose their own site-
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Site to Zone Assignment List*
- GP name: *IZ_Zonemaps*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid**
-
+
Home
@@ -2089,8 +2137,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2099,9 +2147,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2109,20 +2158,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow software to run or install even if the signature is invalid*
- GP name: *Advanced_InvalidSignatureBlock*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowSuggestedSites**
-
+
Home
@@ -2144,8 +2195,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2154,8 +2205,8 @@ ADMX Info:
-
-
+
+
This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
@@ -2164,7 +2215,7 @@ If you disable this policy setting, the entry points and functionality associate
If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2172,20 +2223,22 @@ If you do not configure this policy setting, the user can turn on and turn off t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Suggested Sites*
- GP name: *EnableSuggestedSites*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowTrustedSitesZoneTemplate**
-
+
Home
@@ -2207,8 +2260,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2217,8 +2270,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -2231,7 +2284,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2239,20 +2292,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate**
-
+
Home
@@ -2274,8 +2329,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2284,8 +2339,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -2298,7 +2353,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2306,20 +2361,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowsRestrictedSitesZoneTemplate**
-
+
Home
@@ -2341,8 +2398,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2351,8 +2408,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -2365,7 +2422,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2373,20 +2430,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/CheckServerCertificateRevocation**
-
+
Home
@@ -2408,8 +2467,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2418,9 +2477,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2428,20 +2488,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Check for server certificate revocation*
- GP name: *Advanced_CertificateRevocation*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/CheckSignaturesOnDownloadedPrograms**
-
+
Home
@@ -2463,8 +2525,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2473,9 +2535,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2483,20 +2546,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Check for signatures on downloaded programs*
- GP name: *Advanced_DownloadSignatures*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**
-
+
Home
@@ -2518,8 +2583,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2528,9 +2593,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2538,20 +2604,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_2*
- GP path: *Windows Components/Internet Explorer/Security Features/Binary Behavior Security Restriction*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableAdobeFlash**
-
+
Home
@@ -2573,8 +2641,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2583,8 +2651,8 @@ ADMX Info:
-
-
+
+
This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.
@@ -2593,7 +2661,7 @@ If you disable, or do not configure this policy setting, Flash is turned on for
Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2601,20 +2669,22 @@ Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
- GP name: *DisableFlashInIE*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableBypassOfSmartScreenWarnings**
-
+
Home
@@ -2636,8 +2706,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2646,15 +2716,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.
If you enable this policy setting, SmartScreen Filter warnings block the user.
If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2662,20 +2732,22 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent bypassing SmartScreen Filter warnings*
- GP name: *DisableSafetyFilterOverride*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles**
-
+
Home
@@ -2697,8 +2769,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2707,15 +2779,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.
If you enable this policy setting, SmartScreen Filter warnings block the user.
If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2723,20 +2795,22 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
- GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableConfiguringHistory**
-
+
Home
@@ -2758,8 +2832,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2768,9 +2842,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2778,20 +2853,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable "Configuring History"*
- GP name: *RestrictHistory*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableCrashDetection**
-
+
Home
@@ -2813,8 +2890,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2823,9 +2900,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2833,20 +2911,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Crash Detection*
- GP name: *AddonManagement_RestrictCrashDetection*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation**
-
+
Home
@@ -2868,8 +2948,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2878,8 +2958,8 @@ ADMX Info:
-
-
+
+
This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).
If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
@@ -2888,7 +2968,7 @@ If you disable this policy setting, the user must participate in the CEIP, and t
If you do not configure this policy setting, the user can choose to participate in the CEIP.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2896,20 +2976,22 @@ If you do not configure this policy setting, the user can choose to participate
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent participation in the Customer Experience Improvement Program*
- GP name: *SQM_DisableCEIP*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableDeletingUserVisitedWebsites**
-
+
Home
@@ -2931,8 +3013,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2941,9 +3023,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2951,20 +3034,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent deleting websites that the user has visited*
- GP name: *DBHDisableDeleteHistory*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableEnclosureDownloading**
-
+
Home
@@ -2986,8 +3071,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2996,15 +3081,15 @@ ADMX Info:
-
-
+
+
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3012,20 +3097,22 @@ If you disable or do not configure this policy setting, the user can set the Fee
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent downloading of enclosures*
- GP name: *Disable_Downloading_of_Enclosures*
- GP path: *Windows Components/RSS Feeds*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableEncryptionSupport**
-
+
Home
@@ -3047,8 +3134,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3057,8 +3144,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
@@ -3067,7 +3154,7 @@ If you disable or do not configure this policy setting, the user can select whic
Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3075,20 +3162,22 @@ Note: SSL 2.0 is off by default and is no longer supported starting with Windows
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off encryption support*
- GP name: *Advanced_SetWinInetProtocols*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableFirstRunWizard**
-
+
Home
@@ -3110,8 +3199,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3120,8 +3209,8 @@ ADMX Info:
-
-
+
+
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
If you enable this policy setting, you must make one of the following choices:
@@ -3132,7 +3221,7 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail
If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3140,20 +3229,22 @@ If you disable or do not configure this policy setting, Internet Explorer may ru
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent running First Run wizard*
- GP name: *NoFirstRunCustomise*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableFlipAheadFeature**
-
+
Home
@@ -3175,8 +3266,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3185,8 +3276,8 @@ ADMX Info:
-
-
+
+
This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.
@@ -3197,7 +3288,7 @@ If you disable this policy setting, flip ahead with page prediction is turned on
If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3205,20 +3296,22 @@ If you don't configure this setting, users can turn this behavior on or off, usi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the flip ahead with page prediction feature*
- GP name: *Advanced_DisableFlipAhead*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableHomePageChange**
-
+
Home
@@ -3240,8 +3333,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3249,15 +3342,15 @@ ADMX Info:
-
-
+
+
The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3265,20 +3358,22 @@ If you disable or do not configure this policy setting, the Home page box is ena
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable changing home page settings*
- GP name: *RestrictHomePage*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableIgnoringCertificateErrors**
-
+
Home
@@ -3300,8 +3395,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3310,9 +3405,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3320,20 +3416,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent ignoring certificate errors*
- GP name: *NoCertError*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableInPrivateBrowsing**
-
+
Home
@@ -3355,8 +3453,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3365,9 +3463,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3375,20 +3474,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off InPrivate Browsing*
- GP name: *DisableInPrivateBrowsing*
- GP path: *Windows Components/Internet Explorer/Privacy*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableProcessesInEnhancedProtectedMode**
-
+
Home
@@ -3410,8 +3511,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3420,9 +3521,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3430,20 +3532,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
- GP name: *Advanced_EnableEnhancedProtectedMode64Bit*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableProxyChange**
-
+
Home
@@ -3465,8 +3569,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3475,15 +3579,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies if a user can change proxy settings.
If you enable this policy setting, the user will not be able to configure proxy settings.
If you disable or do not configure this policy setting, the user can configure proxy settings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3491,20 +3595,22 @@ If you disable or do not configure this policy setting, the user can configure p
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent changing proxy settings*
- GP name: *RestrictProxy*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableSearchProviderChange**
-
+
Home
@@ -3526,8 +3632,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3536,15 +3642,15 @@ ADMX Info:
-
-
+
+
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
If you enable this policy setting, the user cannot change the default search provider.
If you disable or do not configure this policy setting, the user can change the default search provider.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3552,20 +3658,22 @@ If you disable or do not configure this policy setting, the user can change the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent changing the default search provider*
- GP name: *NoSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableSecondaryHomePageChange**
-
+
Home
@@ -3587,8 +3695,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3597,8 +3705,8 @@ ADMX Info:
-
-
+
+
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.
If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.
@@ -3607,7 +3715,7 @@ If you disable or do not configure this policy setting, the user can add seconda
Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3615,20 +3723,22 @@ Note: If the Disable Changing Home Page Settings policy is enabled, the user can
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable changing secondary home page settings*
- GP name: *SecondaryHomePages*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableSecuritySettingsCheck**
-
+
Home
@@ -3650,8 +3760,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3660,9 +3770,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3670,20 +3781,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the Security Settings Check feature*
- GP name: *Disable_Security_Settings_Check*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableUpdateCheck**
-
+
Home
@@ -3705,8 +3818,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3714,8 +3827,8 @@ ADMX Info:
-
-
+
+
Prevents Internet Explorer from checking whether a new version of the browser is available.
If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available.
@@ -3724,7 +3837,7 @@ If you disable this policy or do not configure it, Internet Explorer checks ever
This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3732,20 +3845,22 @@ This policy is intended to help the administrator maintain version control for I
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable Periodic Check for Internet Explorer software updates*
- GP name: *NoUpdateCheck*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**
-
+
Home
@@ -3767,8 +3882,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3777,9 +3892,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3787,20 +3903,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
- GP name: *Advanced_DisableEPMCompat*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotAllowUsersToAddSites**
-
+
Home
@@ -3822,8 +3940,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3831,8 +3949,8 @@ ADMX Info:
-
-
+
+
Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)
@@ -3845,7 +3963,7 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad
Also, see the "Security zones: Use only machine settings" policy.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3853,20 +3971,22 @@ Also, see the "Security zones: Use only machine settings" policy.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Do not allow users to add/delete sites*
- GP name: *Security_zones_map_edit*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotAllowUsersToChangePolicies**
-
+
Home
@@ -3888,8 +4008,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3897,8 +4017,8 @@ ADMX Info:
-
-
+
+
Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.
@@ -3911,7 +4031,7 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm
Also, see the "Security zones: Use only machine settings" policy.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3919,20 +4039,22 @@ Also, see the "Security zones: Use only machine settings" policy.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Do not allow users to change policies*
- GP name: *Security_options_edit*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotBlockOutdatedActiveXControls**
-
+
Home
@@ -3954,8 +4076,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3964,8 +4086,8 @@ ADMX Info:
-
-
+
+
This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.
@@ -3974,7 +4096,7 @@ If you disable or don't configure this policy setting, Internet Explorer continu
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3982,20 +4104,22 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
- GP name: *VerMgmtDisable*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains**
-
+
Home
@@ -4017,8 +4141,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4027,8 +4151,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
@@ -4041,7 +4165,7 @@ If you disable or don't configure this policy setting, the list is deleted and I
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4049,20 +4173,22 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
- GP name: *VerMgmtDomainAllowlist*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IncludeAllLocalSites**
-
+
Home
@@ -4084,8 +4210,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4094,8 +4220,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.
@@ -4104,7 +4230,7 @@ If you disable this policy setting, local sites which are not explicitly mapped
If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4112,20 +4238,22 @@ If you do not configure this policy setting, users choose whether to force local
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
- GP name: *IZ_IncludeUnspecifiedLocalSites*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IncludeAllNetworkPaths**
-
+
Home
@@ -4147,8 +4275,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4157,8 +4285,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
If you enable this policy setting, all network paths are mapped into the Intranet Zone.
@@ -4167,7 +4295,7 @@ If you disable this policy setting, network paths are not necessarily mapped int
If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4175,20 +4303,22 @@ If you do not configure this policy setting, users choose whether network paths
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Sites: Include all network paths (UNCs)*
- GP name: *IZ_UNCAsIntranet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowAccessToDataSources**
-
+
Home
@@ -4210,8 +4340,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4220,8 +4350,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -4230,7 +4360,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4238,20 +4368,22 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -4273,8 +4405,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4283,8 +4415,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -4293,7 +4425,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4301,20 +4433,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -4336,8 +4470,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4346,15 +4480,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4362,20 +4496,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowCopyPasteViaScript**
-
+
Home
@@ -4397,8 +4533,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4407,9 +4543,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4417,20 +4554,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles**
-
+
Home
@@ -4452,8 +4591,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4462,9 +4601,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4472,20 +4612,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowFontDownloads**
-
+
Home
@@ -4507,8 +4649,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4517,8 +4659,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -4527,7 +4669,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4535,20 +4677,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowLessPrivilegedSites**
-
+
Home
@@ -4570,8 +4714,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4580,8 +4724,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -4590,7 +4734,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4598,20 +4742,22 @@ If you do not configure this policy setting, Web sites from less privileged zone
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles**
-
+
Home
@@ -4633,8 +4779,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4643,9 +4789,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4653,20 +4800,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -4688,8 +4837,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4698,8 +4847,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -4708,7 +4857,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4716,20 +4865,22 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls**
-
+
Home
@@ -4751,8 +4902,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4761,9 +4912,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4771,20 +4923,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use ActiveX controls without prompt*
- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
-
+
Home
@@ -4806,8 +4960,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4816,9 +4970,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4826,20 +4981,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use the TDC ActiveX control*
- GP name: *IZ_PolicyAllowTDCControl_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowScriptInitiatedWindows**
-
+
Home
@@ -4861,8 +5018,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4871,9 +5028,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4881,20 +5039,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow script-initiated windows without size or position constraints*
- GP name: *IZ_PolicyWindowsRestrictionsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls**
-
+
Home
@@ -4916,8 +5076,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4926,9 +5086,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4936,20 +5097,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowScriptlets**
-
+
Home
@@ -4971,8 +5134,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4981,8 +5144,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -4991,7 +5154,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4999,20 +5162,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowSmartScreenIE**
-
+
Home
@@ -5034,8 +5199,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5044,8 +5209,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -5056,7 +5221,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5064,20 +5229,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript**
-
+
Home
@@ -5099,8 +5266,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5109,9 +5276,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5119,20 +5287,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowUserDataPersistence**
-
+
Home
@@ -5154,8 +5324,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5164,8 +5334,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -5174,7 +5344,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5182,20 +5352,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -5217,8 +5389,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5227,9 +5399,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5237,20 +5410,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneDownloadSignedActiveXControls**
-
+
Home
@@ -5272,8 +5447,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5282,9 +5457,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5292,20 +5468,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download signed ActiveX controls*
- GP name: *IZ_PolicyDownloadSignedActiveX_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls**
-
+
Home
@@ -5327,8 +5505,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5337,9 +5515,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5347,20 +5526,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter**
-
+
Home
@@ -5382,8 +5563,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5392,9 +5573,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5402,20 +5584,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Cross-Site Scripting Filter*
- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
-
+
Home
@@ -5437,8 +5621,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5447,9 +5631,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5457,20 +5642,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
-
+
Home
@@ -5492,8 +5679,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5502,9 +5689,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5512,20 +5700,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableMIMESniffing**
-
+
Home
@@ -5547,8 +5737,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5557,9 +5747,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5567,20 +5758,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableProtectedMode**
-
+
Home
@@ -5602,8 +5795,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5612,9 +5805,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5622,20 +5816,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Protected Mode*
- GP name: *IZ_Policy_TurnOnProtectedMode_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer**
-
+
Home
@@ -5657,8 +5853,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5667,9 +5863,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5677,20 +5874,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -5712,8 +5911,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5722,8 +5921,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -5734,7 +5933,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5742,20 +5941,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
-
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5817,9 +6021,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5827,20 +6032,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME**
-
+
Home
@@ -5862,8 +6069,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5872,9 +6079,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5882,20 +6090,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneLogonOptions**
-
+
Home
@@ -5917,8 +6127,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5927,9 +6137,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5937,20 +6148,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Logon options*
- GP name: *IZ_PolicyLogon_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneNavigateWindowsAndFrames**
-
+
Home
@@ -5972,8 +6185,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5982,8 +6195,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -5992,7 +6205,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6000,20 +6213,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
-
+
Home
@@ -6035,8 +6250,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6045,9 +6260,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6055,20 +6271,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles**
-
+
Home
@@ -6090,8 +6308,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6100,9 +6318,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6110,20 +6329,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneUsePopupBlocker**
-
+
Home
@@ -6145,8 +6366,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6155,9 +6376,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6165,20 +6387,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowAccessToDataSources**
-
+
Home
@@ -6200,8 +6424,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6210,8 +6434,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -6220,7 +6444,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6228,20 +6452,22 @@ If you do not configure this policy setting, users are queried to choose whether
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -6263,8 +6489,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6273,8 +6499,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -6283,7 +6509,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6291,20 +6517,22 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -6326,8 +6554,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6336,15 +6564,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6352,20 +6580,22 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowFontDownloads**
-
+
Home
@@ -6387,8 +6617,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6397,8 +6627,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -6407,7 +6637,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6415,20 +6645,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowLessPrivilegedSites**
-
+
Home
@@ -6450,8 +6682,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6460,8 +6692,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -6470,7 +6702,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6478,20 +6710,22 @@ If you do not configure this policy setting, Web sites from less privileged zone
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -6513,8 +6747,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6523,8 +6757,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -6533,7 +6767,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6541,20 +6775,22 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowScriptlets**
-
+
Home
@@ -6576,8 +6812,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6586,8 +6822,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -6596,7 +6832,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6604,20 +6840,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowSmartScreenIE**
-
+
Home
@@ -6639,8 +6877,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6649,8 +6887,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -6661,7 +6899,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6669,20 +6907,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowUserDataPersistence**
-
+
Home
@@ -6704,8 +6944,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6714,8 +6954,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -6724,7 +6964,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6732,20 +6972,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -6767,8 +7009,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6777,9 +7019,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6787,20 +7030,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -6822,8 +7067,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6832,8 +7077,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -6844,7 +7089,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6852,20 +7097,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneJavaPermissions**
-
+
Home
@@ -6887,8 +7134,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6897,9 +7144,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6907,20 +7155,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneNavigateWindowsAndFrames**
-
+
Home
@@ -6942,8 +7192,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6952,8 +7202,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -6962,7 +7212,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6970,20 +7220,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**
-
+
Home
@@ -7005,8 +7257,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7015,8 +7267,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -7025,7 +7277,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7033,20 +7285,22 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -7068,8 +7322,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7078,8 +7332,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -7088,7 +7342,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7096,20 +7350,22 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -7131,8 +7387,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7141,15 +7397,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7157,20 +7413,22 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowFontDownloads**
-
+
Home
@@ -7192,8 +7450,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7202,8 +7460,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -7212,7 +7470,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7220,20 +7478,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites**
-
+
Home
@@ -7255,8 +7515,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7265,8 +7525,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -7275,7 +7535,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7283,20 +7543,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -7318,8 +7580,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7328,8 +7590,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -7338,7 +7600,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7346,20 +7608,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowScriptlets**
-
+
Home
@@ -7381,8 +7645,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7391,8 +7655,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -7401,7 +7665,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7409,20 +7673,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowSmartScreenIE**
-
+
Home
@@ -7444,8 +7710,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7454,8 +7720,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -7466,7 +7732,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7474,20 +7740,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowUserDataPersistence**
-
+
Home
@@ -7509,8 +7777,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7519,8 +7787,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -7529,7 +7797,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7537,20 +7805,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -7572,8 +7842,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7582,9 +7852,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7592,20 +7863,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -7627,8 +7900,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7637,8 +7910,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -7649,7 +7922,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7657,20 +7930,22 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneJavaPermissions**
-
+
Home
@@ -7692,8 +7967,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7702,9 +7977,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7712,20 +7988,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames**
-
+
Home
@@ -7747,8 +8025,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7757,8 +8035,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -7767,7 +8045,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7775,20 +8053,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources**
-
+
Home
@@ -7810,8 +8090,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7820,8 +8100,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -7830,7 +8110,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7838,20 +8118,22 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -7873,8 +8155,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7883,8 +8165,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -7893,7 +8175,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7901,20 +8183,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -7936,8 +8220,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7946,15 +8230,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7962,20 +8246,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowFontDownloads**
-
+
Home
@@ -7997,8 +8283,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8007,8 +8293,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -8017,7 +8303,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8025,20 +8311,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites**
-
+
Home
@@ -8060,8 +8348,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8070,8 +8358,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -8080,7 +8368,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8088,20 +8376,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -8123,8 +8413,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8133,8 +8423,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -8143,7 +8433,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8151,20 +8441,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowScriptlets**
-
+
Home
@@ -8186,8 +8478,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8196,8 +8488,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -8206,7 +8498,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8214,20 +8506,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE**
-
+
Home
@@ -8249,8 +8543,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8259,8 +8553,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -8271,7 +8565,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8279,20 +8573,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence**
-
+
Home
@@ -8314,8 +8610,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8324,8 +8620,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -8334,7 +8630,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8342,20 +8638,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -8377,8 +8675,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8387,8 +8685,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -8399,7 +8697,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8407,20 +8705,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneJavaPermissions**
-
+
Home
@@ -8442,8 +8742,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8452,9 +8752,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8462,20 +8763,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames**
-
+
Home
@@ -8497,8 +8800,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8507,8 +8810,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -8517,7 +8820,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8525,20 +8828,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources**
-
+
Home
@@ -8560,8 +8865,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8570,8 +8875,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -8580,7 +8885,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8588,20 +8893,22 @@ If you do not configure this policy setting, users are queried to choose whether
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -8623,8 +8930,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8633,8 +8940,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -8643,7 +8950,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8651,20 +8958,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -8686,8 +8995,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8696,15 +9005,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8712,20 +9021,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads**
-
+
Home
@@ -8747,8 +9058,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8757,8 +9068,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -8767,7 +9078,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8775,20 +9086,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites**
-
+
Home
@@ -8810,8 +9123,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8820,8 +9133,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -8830,7 +9143,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8838,20 +9151,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -8873,8 +9188,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8883,8 +9198,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -8893,7 +9208,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8901,20 +9216,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowScriptlets**
-
+
Home
@@ -8936,8 +9253,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8946,8 +9263,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -8956,7 +9273,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8964,20 +9281,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE**
-
+
Home
@@ -8999,8 +9318,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9009,8 +9328,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -9021,7 +9340,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9029,20 +9348,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence**
-
+
Home
@@ -9064,8 +9385,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9074,8 +9395,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -9084,7 +9405,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9092,20 +9413,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -9127,8 +9450,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9137,8 +9460,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -9149,7 +9472,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9157,20 +9480,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames**
-
+
Home
@@ -9192,8 +9517,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9202,8 +9527,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -9212,7 +9537,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9220,20 +9545,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources**
-
+
Home
@@ -9255,8 +9582,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9265,8 +9592,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -9275,7 +9602,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9283,20 +9610,22 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -9318,8 +9647,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9328,8 +9657,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -9338,7 +9667,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9346,20 +9675,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -9381,8 +9712,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9391,15 +9722,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9407,20 +9738,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads**
-
+
Home
@@ -9442,8 +9775,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9452,8 +9785,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -9462,7 +9795,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9470,20 +9803,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites**
-
+
Home
@@ -9505,8 +9840,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9515,8 +9850,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -9525,7 +9860,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9533,20 +9868,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -9568,8 +9905,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9578,8 +9915,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -9588,7 +9925,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9596,20 +9933,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets**
-
+
Home
@@ -9631,8 +9970,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9641,8 +9980,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -9651,7 +9990,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9659,20 +9998,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE**
-
+
Home
@@ -9694,8 +10035,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9704,8 +10045,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -9716,7 +10057,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9724,20 +10065,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence**
-
+
Home
@@ -9759,8 +10102,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9769,8 +10112,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -9779,7 +10122,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9787,20 +10130,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -9822,8 +10167,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9832,8 +10177,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -9844,7 +10189,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9852,20 +10197,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions**
-
+
Home
@@ -9887,8 +10234,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9897,9 +10244,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9907,20 +10255,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames**
-
+
Home
@@ -9942,8 +10292,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9952,8 +10302,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -9962,7 +10312,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9970,20 +10320,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources**
-
+
Home
@@ -10005,8 +10357,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10015,8 +10367,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -10025,7 +10377,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10033,20 +10385,22 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -10068,8 +10422,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10078,8 +10432,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -10088,7 +10442,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10096,20 +10450,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -10131,8 +10487,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10141,15 +10497,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10157,20 +10513,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads**
-
+
Home
@@ -10192,8 +10550,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10202,8 +10560,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -10212,7 +10570,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10220,20 +10578,22 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites**
-
+
Home
@@ -10255,8 +10615,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10265,8 +10625,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -10275,7 +10635,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10283,20 +10643,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -10318,8 +10680,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10328,8 +10690,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -10338,7 +10700,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10346,20 +10708,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets**
-
+
Home
@@ -10381,8 +10745,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10391,8 +10755,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -10401,7 +10765,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10409,20 +10773,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE**
-
+
Home
@@ -10444,8 +10810,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10454,8 +10820,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -10466,7 +10832,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10474,20 +10840,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence**
-
+
Home
@@ -10509,8 +10877,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10519,8 +10887,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -10529,7 +10897,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10537,20 +10905,22 @@ If you do not configure this policy setting, users cannot preserve information i
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -10572,8 +10942,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10582,8 +10952,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -10594,7 +10964,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10602,20 +10972,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions**
-
+
Home
@@ -10637,8 +11009,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10647,9 +11019,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10657,20 +11030,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames**
-
+
Home
@@ -10692,8 +11067,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10702,8 +11077,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
@@ -10712,7 +11087,7 @@ If you disable this policy setting, users cannot open other windows and frames f
If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10720,20 +11095,22 @@ If you do not configure this policy setting, users cannot open other windows and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources**
-
+
Home
@@ -10755,8 +11132,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10765,8 +11142,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -10775,7 +11152,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10783,20 +11160,22 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -10818,8 +11197,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10828,8 +11207,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -10838,7 +11217,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10846,20 +11225,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -10881,8 +11262,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10891,15 +11272,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10907,20 +11288,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads**
-
+
Home
@@ -10942,8 +11325,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10952,8 +11335,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -10962,7 +11345,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10970,20 +11353,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites**
-
+
Home
@@ -11005,8 +11390,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11015,8 +11400,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -11025,7 +11410,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11033,20 +11418,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -11068,8 +11455,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11078,8 +11465,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -11088,7 +11475,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11096,20 +11483,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets**
-
+
Home
@@ -11131,8 +11520,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11141,8 +11530,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -11151,7 +11540,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11159,20 +11548,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE**
-
+
Home
@@ -11194,8 +11585,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11204,8 +11595,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -11216,7 +11607,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11224,20 +11615,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence**
-
+
Home
@@ -11259,8 +11652,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11269,8 +11662,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -11279,7 +11672,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11287,20 +11680,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -11322,8 +11717,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11332,8 +11727,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -11344,7 +11739,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11352,20 +11747,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions**
-
+
Home
@@ -11387,8 +11784,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11397,9 +11794,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11407,20 +11805,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames**
-
+
Home
@@ -11442,8 +11842,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11452,8 +11852,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -11462,7 +11862,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11470,20 +11870,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses**
-
+
Home
@@ -11505,8 +11907,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11515,9 +11917,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11525,20 +11928,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_3*
- GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses**
-
+
Home
@@ -11560,8 +11965,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11570,9 +11975,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11580,20 +11986,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_6*
- GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/NotificationBarInternetExplorerProcesses**
-
+
Home
@@ -11615,8 +12023,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11625,9 +12033,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11635,20 +12044,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_10*
- GP path: *Windows Components/Internet Explorer/Security Features/Notification bar*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/PreventManagingSmartScreenFilter**
-
+
Home
@@ -11670,8 +12081,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11680,9 +12091,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11690,20 +12102,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent managing SmartScreen Filter*
- GP name: *Disable_Managing_Safety_Filter_IE9*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/PreventPerUserInstallationOfActiveXControls**
-
+
Home
@@ -11725,8 +12139,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11735,9 +12149,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11745,20 +12160,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent per-user installation of ActiveX controls*
- GP name: *DisablePerUserActiveXInstall*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses**
-
+
Home
@@ -11780,8 +12197,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11790,9 +12207,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11800,20 +12218,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_9*
- GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls**
-
+
Home
@@ -11835,8 +12255,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11845,9 +12265,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11855,20 +12276,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
- GP name: *VerMgmtDisableRunThisTime*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**
-
+
Home
@@ -11890,8 +12313,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11900,9 +12323,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11910,20 +12334,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_11*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses**
-
+
Home
@@ -11945,8 +12371,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11955,9 +12381,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11965,20 +12392,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_12*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources**
-
+
Home
@@ -12000,8 +12429,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12010,8 +12439,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -12020,7 +12449,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12028,20 +12457,22 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowActiveScripting**
-
+
Home
@@ -12063,8 +12494,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12073,9 +12504,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12083,20 +12515,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow active scripting*
- GP name: *IZ_PolicyActiveScripting_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -12118,8 +12552,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12128,8 +12562,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -12138,7 +12572,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12146,20 +12580,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -12181,8 +12617,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12191,15 +12627,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12207,20 +12643,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors**
-
+
Home
@@ -12242,8 +12680,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12252,9 +12690,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12262,20 +12701,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow binary and script behaviors*
- GP name: *IZ_PolicyBinaryBehaviors_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript**
-
+
Home
@@ -12297,8 +12738,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12307,9 +12748,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12317,20 +12759,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles**
-
+
Home
@@ -12352,8 +12796,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12362,9 +12806,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12372,20 +12817,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowFileDownloads**
-
+
Home
@@ -12407,8 +12854,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12417,9 +12864,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12427,20 +12875,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow file downloads*
- GP name: *IZ_PolicyFileDownload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowFontDownloads**
-
+
Home
@@ -12462,8 +12912,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12472,8 +12922,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -12482,7 +12932,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12490,20 +12940,22 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites**
-
+
Home
@@ -12525,8 +12977,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12535,8 +12987,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -12545,7 +12997,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12553,20 +13005,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles**
-
+
Home
@@ -12588,8 +13042,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12598,9 +13052,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12608,20 +13063,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH**
-
+
Home
@@ -12643,8 +13100,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12653,9 +13110,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12663,20 +13121,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow META REFRESH*
- GP name: *IZ_PolicyAllowMETAREFRESH_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -12698,8 +13158,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12708,8 +13168,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -12718,7 +13178,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12726,20 +13186,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls**
-
+
Home
@@ -12761,8 +13223,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12771,9 +13233,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12781,20 +13244,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use ActiveX controls without prompt*
- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
-
+
Home
@@ -12816,8 +13281,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12826,9 +13291,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12836,20 +13302,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use the TDC ActiveX control*
- GP name: *IZ_PolicyAllowTDCControl_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows**
-
+
Home
@@ -12871,8 +13339,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12881,9 +13349,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12891,20 +13360,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow script-initiated windows without size or position constraints*
- GP name: *IZ_PolicyWindowsRestrictionsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls**
-
+
Home
@@ -12926,8 +13397,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12936,9 +13407,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12946,20 +13418,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowScriptlets**
-
+
Home
@@ -12981,8 +13455,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12991,8 +13465,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -13001,7 +13475,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13009,20 +13483,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE**
-
+
Home
@@ -13044,8 +13520,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13054,8 +13530,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -13066,7 +13542,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13074,20 +13550,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript**
-
+
Home
@@ -13109,8 +13587,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13119,9 +13597,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13129,20 +13608,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence**
-
+
Home
@@ -13164,8 +13645,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13174,8 +13655,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -13184,7 +13665,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13192,20 +13673,22 @@ If you do not configure this policy setting, users cannot preserve information i
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -13227,8 +13710,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13237,9 +13720,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13247,20 +13731,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls**
-
+
Home
@@ -13282,8 +13768,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13292,9 +13778,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13302,20 +13789,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download signed ActiveX controls*
- GP name: *IZ_PolicyDownloadSignedActiveX_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls**
-
+
Home
@@ -13337,8 +13826,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13347,9 +13836,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13357,20 +13847,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter**
-
+
Home
@@ -13392,8 +13884,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13402,9 +13894,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13412,20 +13905,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Cross-Site Scripting Filter*
- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
-
+
Home
@@ -13447,8 +13942,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13457,9 +13952,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13467,20 +13963,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
-
+
Home
@@ -13502,8 +14000,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13512,9 +14010,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13522,20 +14021,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing**
-
+
Home
@@ -13557,8 +14058,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13567,9 +14068,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13577,20 +14079,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer**
-
+
Home
@@ -13612,8 +14116,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13622,9 +14126,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13632,20 +14137,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -13667,8 +14174,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13677,8 +14184,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -13689,7 +14196,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13697,20 +14204,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneJavaPermissions**
-
+
Home
@@ -13732,8 +14241,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13742,9 +14251,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13752,20 +14262,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME**
-
+
Home
@@ -13787,8 +14299,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13797,9 +14309,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13807,20 +14320,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneLogonOptions**
-
+
Home
@@ -13842,8 +14357,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13852,9 +14367,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13862,20 +14378,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Logon options*
- GP name: *IZ_PolicyLogon_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames**
-
+
Home
@@ -13897,8 +14415,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13907,8 +14425,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
@@ -13917,7 +14435,7 @@ If you disable this policy setting, users cannot open other windows and frames f
If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13925,20 +14443,22 @@ If you do not configure this policy setting, users cannot open other windows and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins**
-
+
Home
@@ -13960,8 +14480,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13970,9 +14490,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13980,20 +14501,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run ActiveX controls and plugins*
- GP name: *IZ_PolicyRunActiveXControls_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
-
+
Home
@@ -14015,8 +14538,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14025,9 +14548,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14035,20 +14559,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting**
-
+
Home
@@ -14070,8 +14596,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14080,9 +14606,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14090,20 +14617,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Script ActiveX controls marked safe for scripting*
- GP name: *IZ_PolicyScriptActiveXMarkedSafe_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets**
-
+
Home
@@ -14125,8 +14654,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14135,9 +14664,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14145,20 +14675,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Scripting of Java applets*
- GP name: *IZ_PolicyScriptingOfJavaApplets_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles**
-
+
Home
@@ -14180,8 +14712,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14190,9 +14722,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14200,20 +14733,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode**
-
+
Home
@@ -14235,8 +14770,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14245,9 +14780,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14255,20 +14791,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Protected Mode*
- GP name: *IZ_Policy_TurnOnProtectedMode_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneUsePopupBlocker**
-
+
Home
@@ -14290,8 +14828,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14300,9 +14838,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14310,20 +14849,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses**
-
+
Home
@@ -14345,8 +14886,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14355,9 +14896,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14365,20 +14907,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_8*
- GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/SearchProviderList**
-
+
Home
@@ -14400,8 +14944,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14410,15 +14954,15 @@ ADMX Info:
-
-
+
+
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14426,20 +14970,22 @@ If you disable or do not configure this policy setting, the user can configure h
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restrict search providers to a specific list*
- GP name: *SpecificSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/SecurityZonesUseOnlyMachineSettings**
-
+
Home
@@ -14461,8 +15007,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14470,9 +15016,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14480,20 +15027,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Use only machine settings *
- GP name: *Security_HKLM_only*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/SpecifyUseOfActiveXInstallerService**
-
+
Home
@@ -14515,8 +15064,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14525,9 +15074,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14535,20 +15085,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
- GP name: *OnlyUseAXISForActiveXInstall*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources**
-
+
Home
@@ -14570,8 +15122,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14580,8 +15132,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -14590,7 +15142,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14598,20 +15150,22 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -14633,8 +15187,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14643,8 +15197,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -14653,7 +15207,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14661,20 +15215,22 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -14696,8 +15252,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14706,15 +15262,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14722,20 +15278,22 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowFontDownloads**
-
+
Home
@@ -14757,8 +15315,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14767,8 +15325,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -14777,7 +15335,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14785,20 +15343,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites**
-
+
Home
@@ -14820,8 +15380,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14830,8 +15390,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -14840,7 +15400,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14848,20 +15408,22 @@ If you do not configure this policy setting, a warning is issued to the user tha
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -14883,8 +15445,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14893,8 +15455,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -14903,7 +15465,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14911,20 +15473,22 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowScriptlets**
-
+
Home
@@ -14946,8 +15510,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14956,8 +15520,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -14966,7 +15530,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14974,20 +15538,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE**
-
+
Home
@@ -15009,8 +15575,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15019,8 +15585,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -15031,7 +15597,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15039,20 +15605,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence**
-
+
Home
@@ -15074,8 +15642,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15084,8 +15652,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -15094,7 +15662,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15102,20 +15670,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -15137,8 +15707,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15147,9 +15717,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15157,20 +15728,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -15192,8 +15765,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15202,8 +15775,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -15214,7 +15787,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15222,20 +15795,22 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneJavaPermissions**
-
+
Home
@@ -15257,8 +15832,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15267,9 +15842,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15277,20 +15853,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames**
-
+
Home
@@ -15312,8 +15890,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15322,8 +15900,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -15332,7 +15910,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15340,15 +15918,15 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
Footnote:
@@ -15357,5 +15935,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 43b40603af..361a19a81c 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Kerberos
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Kerberos policies
@@ -36,11 +36,13 @@ ms.date: 11/01/2017
+
-
+
+
**Kerberos/AllowForestSearchOrder**
-
+
Home
@@ -62,8 +64,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -71,15 +73,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -87,20 +89,22 @@ If you disable or do not configure this policy setting, the Kerberos client does
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
+
-
+
+
**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
-
+
Home
@@ -122,8 +126,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -131,14 +135,14 @@ ADMX Info:
-
-
+
+
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -146,20 +150,22 @@ If you disable or do not configure this policy setting, the client devices will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
+
-
+
+
**Kerberos/RequireKerberosArmoring**
-
+
Home
@@ -181,8 +187,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -190,8 +196,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
@@ -202,7 +208,7 @@ Note: The Kerberos Group Policy "Kerberos client support for claims, compound au
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -210,20 +216,22 @@ If you disable or do not configure this policy setting, the client computers in
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
+
-
+
+
**Kerberos/RequireStrictKDCValidation**
-
+
Home
@@ -245,8 +253,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -254,15 +262,15 @@ ADMX Info:
-
-
+
+
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -270,20 +278,22 @@ If you disable or do not configure this policy setting, the Kerberos client requ
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
+
-
+
+
**Kerberos/SetMaximumContextTokenSize**
-
+
Home
@@ -305,8 +315,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -314,8 +324,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
@@ -326,7 +336,7 @@ If you disable or do not configure this policy setting, the Kerberos client or s
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -334,15 +344,15 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
Footnote:
@@ -351,5 +361,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index ab4e33bba0..6606c038b3 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 01/30/2018
---
# Policy CSP - KioskBrowser
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## KioskBrowser policies
@@ -41,11 +41,13 @@ ms.date: 01/03/2018
+
-
+
+
**KioskBrowser/BlockedUrlExceptions**
-
+
Home
@@ -67,8 +69,8 @@ ms.date: 01/03/2018
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -77,26 +79,19 @@ ms.date: 01/03/2018
-
-
+
+
Added in Windows 10, next major update. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/BlockedUrls**
-
+
Home
@@ -118,8 +113,8 @@ Added in Windows 10, next major update. List of exceptions to the blocked websit
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -128,26 +123,19 @@ Added in Windows 10, next major update. List of exceptions to the blocked websit
-
-
+
+
Added in Windows 10, next major update. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/DefaultURL**
-
+
Home
@@ -169,8 +157,8 @@ Added in Windows 10, next major update. List of blocked website URLs (with wildc
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -179,26 +167,19 @@ Added in Windows 10, next major update. List of blocked website URLs (with wildc
-
-
+
+
Added in Windows 10, next major update. Configures the default URL kiosk browsers to navigate on launch and restart.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/EnableHomeButton**
-
+
Home
@@ -220,8 +201,8 @@ Added in Windows 10, next major update. Configures the default URL kiosk browser
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -230,26 +211,19 @@ Added in Windows 10, next major update. Configures the default URL kiosk browser
-
-
+
+
Added in Windows 10, next major update. Enable/disable kiosk browser's home button.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/EnableNavigationButtons**
-
+
Home
@@ -271,8 +245,8 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's home butt
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -281,26 +255,19 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's home butt
-
-
+
+
Added in Windows 10, next major update. Enable/disable kiosk browser's navigation buttons (forward/back).
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/RestartOnIdleTime**
-
+
Home
@@ -322,8 +289,8 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's navigatio
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -332,23 +299,14 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's navigatio
-
-
+
+
Added in Windows 10, next major update. Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
-
-
-
-
-
-
-
-
-
-
-
+
+
Footnote:
@@ -357,5 +315,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 64f7550a15..66109605f7 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Licensing
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Licensing policies
Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
+
+
+Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
-
+
The following list shows the supported values:
@@ -74,12 +76,14 @@ The following list shows the supported values:
- 1 (default) – Enable Windows license reactivation on managed devices.
-
+
+
@@ -101,8 +105,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -110,11 +114,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
+
+
+Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
-
+
The following list shows the supported values:
@@ -122,7 +126,7 @@ The following list shows the supported values:
- 1 – Enabled.
-
+
Footnote:
@@ -131,5 +135,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index fc13b1db75..f67234078a 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/29/2017
+ms.date: 01/30/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
@@ -17,7 +17,7 @@ ms.date: 12/29/2017
-
+
## LocalPoliciesSecurityOptions policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -223,8 +225,8 @@ ms.date: 12/29/2017
-
-
+
+
This policy setting prevents users from adding new Microsoft accounts on this computer.
If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
@@ -235,7 +237,7 @@ If you disable or do not configure this policy (recommended), users will be able
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+
The following list shows the supported values:
@@ -243,12 +245,14 @@ The following list shows the supported values:
- 1 - enabled (users cannot add Microsoft accounts).
-
+
+
-
+
+
**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
-
+
Home
@@ -270,8 +274,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -279,8 +283,8 @@ The following list shows the supported values:
-
-
+
+
This security setting determines whether the local Administrator account is enabled or disabled.
If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
@@ -289,19 +293,24 @@ Disabling the Administrator account can become a maintenance issue under certain
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
Default: Disabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 0 - local Administrator account is disabled
- 1 - local Administrator account is enabled
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
-
+
Home
@@ -323,8 +332,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -332,26 +341,31 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
This security setting determines if the Guest account is enabled or disabled.
Default: Disabled.
-Valid values:
-- 0 - local Guest account is disabled
-- 1 - local Guest account is enabled
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+Valid values:
+- 0 - local Guest account is disabled
+- 1 - local Guest account is enabled
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
-
+
Home
@@ -373,8 +387,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -382,16 +396,13 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Accounts: Limit local account use of blank passwords to console logon only
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
Default: Enabled.
-Valid values:
-- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
-- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
Warning:
@@ -403,13 +414,21 @@ It is possible for applications that use remote interactive logons to bypass thi
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+Valid values:
+- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
+- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
-
+
Home
@@ -431,8 +450,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -440,8 +459,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Accounts: Rename administrator account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
@@ -450,13 +469,15 @@ Default: Administrator.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
-
+
Home
@@ -478,8 +499,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -487,8 +508,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Accounts: Rename guest account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
@@ -497,13 +518,15 @@ Default: Guest.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon**
-
+
Home
@@ -525,8 +548,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -534,8 +557,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Devices: Allow undock without having to log on.
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
@@ -545,22 +568,15 @@ Caution:
Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia**
-
+
Home
@@ -582,8 +598,8 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -591,8 +607,8 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
-
-
+
+
Devices: Allowed to format and eject removable media
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
@@ -602,22 +618,15 @@ This security setting determines who is allowed to format and eject removable NT
Default: This policy is not defined and only Administrators have this ability.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters**
-
+
Home
@@ -639,8 +648,8 @@ Default: This policy is not defined and only Administrators have this ability.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -648,8 +657,8 @@ Default: This policy is not defined and only Administrators have this ability.
-
-
+
+
Devices: Prevent users from installing printer drivers when connecting to shared printers
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
@@ -661,22 +670,15 @@ Note
This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly**
-
+
Home
@@ -698,8 +700,8 @@ This setting does not affect the ability to add a local printer. This setting do
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -707,8 +709,8 @@ This setting does not affect the ability to add a local printer. This setting do
-
-
+
+
Devices: Restrict CD-ROM access to locally logged-on user only
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
@@ -717,22 +719,15 @@ If this policy is enabled, it allows only the interactively logged-on user to ac
Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**
-
+
Home
@@ -754,8 +749,8 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -763,8 +758,8 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
-
-
+
+
Domain member: Digitally encrypt or sign secure channel data (always)
This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
@@ -784,22 +779,15 @@ If this policy is enabled, the policy Domain member: Digitally sign secure chann
If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**
-
+
Home
@@ -821,8 +809,8 @@ Logon information transmitted over the secure channel is always encrypted regard
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -830,8 +818,8 @@ Logon information transmitted over the secure channel is always encrypted regard
-
-
+
+
Domain member: Digitally encrypt secure channel data (when possible)
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
@@ -848,22 +836,15 @@ There is no known reason for disabling this setting. Besides unnecessarily reduc
Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible**
-
+
Home
@@ -885,8 +866,8 @@ Note: Domain controllers are also domain members and establish secure channels w
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -894,8 +875,8 @@ Note: Domain controllers are also domain members and establish secure channels w
-
-
+
+
Domain member: Digitally sign secure channel data (when possible)
This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
@@ -906,22 +887,15 @@ This setting determines whether or not the domain member attempts to negotiate s
Default: Enabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**
-
+
Home
@@ -943,8 +917,8 @@ Default: Enabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -952,8 +926,8 @@ Default: Enabled.
-
-
+
+
Domain member: Disable machine account password changes
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
@@ -965,22 +939,15 @@ Notes
This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge**
-
+
Home
@@ -1002,8 +969,8 @@ This setting should not be used in an attempt to support dual-boot scenarios tha
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1011,8 +978,8 @@ This setting should not be used in an attempt to support dual-boot scenarios tha
-
-
+
+
Domain member: Maximum machine account password age
This security setting determines how often a domain member will attempt to change its computer account password.
@@ -1023,22 +990,15 @@ Important
This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey**
-
+
Home
@@ -1060,8 +1020,8 @@ This setting applies to Windows 2000 computers, but it is not available through
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1069,8 +1029,8 @@ This setting applies to Windows 2000 computers, but it is not available through
-
-
+
+
Domain member: Require strong (Windows 2000 or later) session key
This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
@@ -1092,22 +1052,15 @@ Important
In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
-
+
Home
@@ -1129,8 +1082,8 @@ In order to take advantage of this policy on domain controllers, all domain cont
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1138,24 +1091,29 @@ In order to take advantage of this policy on domain controllers, all domain cont
-
-
+
+
Interactive Logon:Display user information when the session is locked
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 1 - User display name, domain and user names
- 2 - User display name only
- 3 - Do not display user information
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**
-
+
Home
@@ -1177,8 +1135,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1186,8 +1144,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
@@ -1196,19 +1154,24 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 0 - disabled (username will be shown)
- 1 - enabled (username will not be shown)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**
-
+
Home
@@ -1230,8 +1193,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1239,8 +1202,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
@@ -1250,19 +1213,24 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 0 - disabled (username will be shown)
- 1 - enabled (username will not be shown)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**
-
+
Home
@@ -1284,8 +1252,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1293,8 +1261,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Do not require CTRL+ALT+DEL
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
@@ -1305,19 +1273,24 @@ If this policy is disabled, any user is required to press CTRL+ALT+DEL before lo
Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
Default on stand-alone computers: Enabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
-
+
Home
@@ -1339,8 +1312,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1348,26 +1321,31 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Machine inactivity limit.
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
Default: not enforced.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
-
+
Home
@@ -1389,8 +1367,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1398,8 +1376,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Message text for users attempting to log on
This security setting specifies a text message that is displayed to users when they log on.
@@ -1410,13 +1388,15 @@ Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
-
+
Home
@@ -1438,8 +1418,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1447,8 +1427,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Message title for users attempting to log on
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
@@ -1457,13 +1437,15 @@ Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior**
-
+
Home
@@ -1485,8 +1467,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1494,8 +1476,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Smart card removal behavior
This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
@@ -1519,22 +1501,15 @@ Default: This policy is not defined, which means that the system treats it as No
On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**
-
+
Home
@@ -1556,8 +1531,8 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1565,8 +1540,8 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol
-
-
+
+
Microsoft network client: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB client component.
@@ -1591,22 +1566,15 @@ Microsoft network server: Digitally sign communications (if client agrees) - Con
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**
-
+
Home
@@ -1628,8 +1596,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1637,8 +1605,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
Microsoft network client: Digitally sign communications (if server agrees)
This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
@@ -1660,22 +1628,15 @@ If both client-side and server-side SMB signing is enabled and the client establ
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers**
-
+
Home
@@ -1697,8 +1658,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1706,8 +1667,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
Microsoft network client: Send unencrypted password to connect to third-party SMB servers
If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
@@ -1716,22 +1677,15 @@ Sending unencrypted passwords is a security risk.
Default: Disabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**
-
+
Home
@@ -1753,8 +1707,8 @@ Default: Disabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1762,8 +1716,8 @@ Default: Disabled.
-
-
+
+
Microsoft network server: Amount of idle time required before suspending a session
This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
@@ -1774,22 +1728,15 @@ For this policy setting, a value of 0 means to disconnect an idle session as qui
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**
-
+
Home
@@ -1811,8 +1758,8 @@ Default:This policy is not defined, which means that the system treats it as 15
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1820,8 +1767,8 @@ Default:This policy is not defined, which means that the system treats it as 15
-
-
+
+
Microsoft network server: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB server component.
@@ -1855,22 +1802,15 @@ For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the f
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees**
-
+
Home
@@ -1892,8 +1832,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1901,8 +1841,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
Microsoft network server: Digitally sign communications (if client agrees)
This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
@@ -1928,22 +1868,15 @@ If both client-side and server-side SMB signing is enabled and the client establ
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts**
-
+
Home
@@ -1965,8 +1898,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1974,8 +1907,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
Network access: Do not allow anonymous enumeration of SAM accounts
This security setting determines what additional permissions will be granted for anonymous connections to the computer.
@@ -1994,22 +1927,15 @@ Important
This policy has no impact on domain controllers.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares**
-
+
Home
@@ -2031,8 +1957,8 @@ This policy has no impact on domain controllers.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2040,8 +1966,8 @@ This policy has no impact on domain controllers.
-
-
+
+
Network access: Do not allow anonymous enumeration of SAM accounts and shares
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
@@ -2050,22 +1976,15 @@ Windows allows anonymous users to perform certain activities, such as enumeratin
Default: Disabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers**
-
+
Home
@@ -2087,8 +2006,8 @@ Default: Disabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2096,8 +2015,8 @@ Default: Disabled.
-
-
+
+
Network access: Let Everyone permissions apply to anonymous users
This security setting determines what additional permissions are granted for anonymous connections to the computer.
@@ -2108,22 +2027,15 @@ If this policy is enabled, the Everyone SID is added to the token that is create
Default: Disabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares**
-
+
Home
@@ -2145,8 +2057,8 @@ Default: Disabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2154,8 +2066,8 @@ Default: Disabled.
-
-
+
+
Network access: Restrict anonymous access to Named Pipes and Shares
When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
@@ -2164,22 +2076,15 @@ Network access: Named pipes that can be accessed anonymously
Network access: Shares that can be accessed anonymously
Default: Enabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM**
-
+
Home
@@ -2201,8 +2106,8 @@ Default: Enabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2210,8 +2115,8 @@ Default: Enabled.
-
-
+
+
Network access: Restrict clients allowed to make remote calls to SAM
This policy setting allows you to restrict remote rpc connections to SAM.
@@ -2220,22 +2125,15 @@ If not selected, the default security descriptor will be used.
This policy is supported on at least Windows Server 2016.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
-
+
Home
@@ -2257,8 +2155,8 @@ This policy is supported on at least Windows Server 2016.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2266,8 +2164,8 @@ This policy is supported on at least Windows Server 2016.
-
-
+
+
Network security: Allow Local System to use computer identity for NTLM
This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
@@ -2284,22 +2182,15 @@ This policy is supported on at least Windows Vista or Windows Server 2008.
Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
-
+
Home
@@ -2321,8 +2212,8 @@ Note: Windows Vista or Windows Server 2008 do not expose this setting in Group P
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2330,25 +2221,30 @@ Note: Windows Vista or Windows Server 2008 do not expose this setting in Group P
-
-
+
+
Network security: Allow PKU2U authentication requests to this computer to use online identities.
This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange**
-
+
Home
@@ -2370,8 +2266,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2379,8 +2275,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Network security: Do not store LAN Manager hash value on next password change
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
@@ -2394,22 +2290,15 @@ Important
Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel**
-
+
Home
@@ -2431,8 +2320,8 @@ This setting can affect the ability of computers running Windows 2000 Server, Wi
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2440,8 +2329,8 @@ This setting can affect the ability of computers running Windows 2000 Server, Wi
-
-
+
+
Network security LAN Manager authentication level
This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
@@ -2470,22 +2359,15 @@ Windows Server 2003: Send NTLM response only
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
-
+
Home
@@ -2507,8 +2389,8 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2516,8 +2398,8 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
-
-
+
+
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
@@ -2531,22 +2413,15 @@ Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**
-
+
Home
@@ -2568,8 +2443,8 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2577,8 +2452,8 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
@@ -2592,22 +2467,15 @@ Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
-
+
Home
@@ -2629,26 +2497,31 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
Recovery console: Allow automatic administrative logon
This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
Default: This policy is not defined and automatic administrative logon is not allowed.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (allow automatic administrative logon)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
-
+
Home
@@ -2670,8 +2543,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2679,8 +2552,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without having to log on to Windows.
@@ -2691,19 +2564,24 @@ When this policy is disabled, the option to shut down the computer does not appe
Default on workstations: Enabled.
Default on servers: Disabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (allow system to be shut down without having to log on)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile**
-
+
Home
@@ -2725,8 +2603,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2734,8 +2612,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Shutdown: Clear virtual memory pagefile
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
@@ -2746,22 +2624,15 @@ When this policy is enabled, it causes the system pagefile to be cleared upon cl
Default: Disabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems**
-
+
Home
@@ -2783,8 +2654,8 @@ Default: Disabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2792,8 +2663,8 @@ Default: Disabled.
-
-
+
+
System objects: Require case insensitivity for non-Windows subsystems
This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX.
@@ -2802,22 +2673,15 @@ If this setting is enabled, case insensitivity is enforced for all directory obj
Default: Enabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
-
+
Home
@@ -2839,8 +2703,8 @@ Default: Enabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2848,8 +2712,8 @@ Default: Enabled.
-
-
+
+
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
@@ -2857,21 +2721,26 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
Disabled: (Default)
-Valid values:
-- 0 - disabled
-- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
-
+
Home
@@ -2893,8 +2762,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2902,8 +2771,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
This policy setting controls the behavior of the elevation prompt for administrators.
@@ -2924,13 +2793,15 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
-
+
Home
@@ -2952,8 +2823,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2961,14 +2832,14 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+
The following list shows the supported values:
@@ -2977,12 +2848,14 @@ The following list shows the supported values:
- 3 (Default) - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation**
-
+
Home
@@ -3004,8 +2877,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3013,8 +2886,8 @@ The following list shows the supported values:
-
-
+
+
User Account Control: Detect application installations and prompt for elevation
This policy setting controls the behavior of application installation detection for the computer.
@@ -3025,22 +2898,15 @@ Enabled: (Default) When an application installation package is detected that req
Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
-
+
Home
@@ -3062,8 +2928,8 @@ Disabled: Application installation packages are not detected and prompted for el
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3071,8 +2937,8 @@ Disabled: Application installation packages are not detected and prompted for el
-
-
+
+
User Account Control: Only elevate executable files that are signed and validated
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
@@ -3083,13 +2949,15 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
-
+
Home
@@ -3111,8 +2979,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3120,8 +2988,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Only elevate UIAccess applications that are installed in secure locations
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
@@ -3138,13 +3006,15 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**
-
+
Home
@@ -3166,8 +3036,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3175,8 +3045,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
@@ -3188,13 +3058,15 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
-
+
Home
@@ -3216,8 +3088,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3225,8 +3097,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Switch to the secure desktop when prompting for elevation
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
@@ -3237,13 +3109,15 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode**
-
+
Home
@@ -3265,8 +3139,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3274,8 +3148,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Use Admin Approval Mode for the built-in Administrator account
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
@@ -3286,22 +3160,15 @@ The options are:
• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
-
+
Home
@@ -3323,8 +3190,8 @@ The options are:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3332,20 +3199,23 @@ The options are:
-
-
+
+
User Account Control: Virtualize file and registry write failures to per-user locations
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
-The options are:
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+The following list shows the supported values:
+
- 0 - Disabled: Applications that write data to protected locations fail.
- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
-
+
+
Footnote:
@@ -3354,5 +3224,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
index 9c979b9d53..ac9c25abfa 100644
--- a/windows/client-management/mdm/policy-csp-location.md
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Location
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Location policies
Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
+
+
+Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
> [!IMPORTANT]
> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Disabled.
- 1 – Enabled.
-
To validate on Desktop, do the following:
+
+
+To validate on Desktop, do the following:
1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected.
2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained.
-
-
+
+
Footnote:
@@ -86,5 +92,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 8db727d554..a63d073566 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - LockDown
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## LockDown policies
Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
+
+
+Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
-
The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
+The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
-
+
The following list shows the supported values:
@@ -73,7 +75,7 @@ The following list shows the supported values:
- 1 (default, not configured) - allow edge swipe.
-
+
Footnote:
@@ -82,5 +84,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index aca34d8a1b..4d5a5f55ec 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Maps
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Maps policies
Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
+
+
+Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
-
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
+After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
-
+
The following list shows the supported values:
@@ -77,12 +79,14 @@ The following list shows the supported values:
- 65535 (default) – Not configured. User's choice.
-
+
+
-
+
+
**Maps/EnableOfflineMapsAutoUpdate**
-
+
Home
@@ -104,8 +108,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -113,13 +117,13 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Disables the automatic download and update of map data.
+
+
+Added in Windows 10, version 1607. Disables the automatic download and update of map data.
-
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
+After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
-
+
The following list shows the supported values:
@@ -128,7 +132,7 @@ The following list shows the supported values:
- 65535 (default) – Not configured. User's choice.
-
+
Footnote:
@@ -137,5 +141,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index 4d41080dfa..abd33e0f71 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Messaging
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Messaging policies
@@ -30,11 +30,13 @@ ms.date: 11/01/2017
+
-
+
+
**Messaging/AllowMMS**
-
+
Home
@@ -56,8 +58,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,25 +67,29 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement.
+Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 - Disabled.
- 1 (default) - Enabled.
-
-
+
+
+
Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
+
+
+Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 - message sync is not allowed and cannot be changed by the user.
- 1 - message sync is allowed. The user can change this setting.
-
-
+
+
+
-
+
+
**Messaging/AllowRCS**
-
+
Home
@@ -151,8 +161,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -160,20 +170,22 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement.
+Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 - Disabled.
- 1 (default) - Enabled.
-
-
+
+
Footnote:
@@ -182,5 +194,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 2e86a44453..445d9a8d6d 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - NetworkIsolation
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## NetworkIsolation policies
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
+
+
+Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
+
+
+
-
-
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
+
+
+Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges.
+
+
+
+For example:
``` syntax
10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255,
@@ -134,13 +142,15 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
```
-
-
+
+
+
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
+
+
+Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
+
+
+
-
-
This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+
+
+This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+
+
+
-
-
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
+
+
+This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
> [!NOTE]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
-
Here are the steps to create canonical domain names:
+Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com.
2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
-
-
+
+
+
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+
+
+This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+
+
+
-
-
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
+
+
+Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
+
+
+
-
-
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
+
+
+Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
-
For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
+For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
-
No reboot or service restart is required for this policy to take effect.
+No reboot or service restart is required for this policy to take effect.
-
+
The following list shows the supported values:
@@ -75,7 +77,7 @@ The following list shows the supported values:
- 1 - disable notification mirroring.
-
+
Footnote:
@@ -84,5 +86,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 533e43da2d..5bc495e5d8 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Power
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Power policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -83,15 +85,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
If you disable this policy setting, standby states (S1-S3) are not allowed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -99,20 +101,22 @@ If you disable this policy setting, standby states (S1-S3) are not allowed.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow standby states (S1-S3) when sleeping (plugged in)*
- GP name: *AllowStandbyStatesAC_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
-
+
+
**Power/DisplayOffTimeoutOnBattery**
-
+
Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+
+
+Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -161,20 +165,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the display (on battery)*
- GP name: *VideoPowerDownTimeOutDC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+
+
+Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -223,20 +229,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the display (plugged in)*
- GP name: *VideoPowerDownTimeOutAC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+
+
+Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -286,20 +294,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system hibernate timeout (on battery)*
- GP name: *DCHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+
+
+Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -348,20 +358,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system hibernate timeout (plugged in)*
- GP name: *ACHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -392,15 +404,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -408,20 +420,22 @@ If you disable this policy setting, the user is not prompted for a password when
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require a password when a computer wakes (on battery)*
- GP name: *DCPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
-
+
+
**Power/RequirePasswordWhenComputerWakesPluggedIn**
-
+
Home
@@ -443,8 +457,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -452,15 +466,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -468,20 +482,22 @@ If you disable this policy setting, the user is not prompted for a password when
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require a password when a computer wakes (plugged in)*
- GP name: *ACPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
-
+
+
**Power/StandbyTimeoutOnBattery**
-
+
Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+
+
+Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -530,20 +546,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system sleep timeout (on battery)*
- GP name: *DCStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+
+
+Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -592,15 +610,15 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system sleep timeout (plugged in)*
- GP name: *ACStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
Footnote:
@@ -609,5 +627,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 8718ad65f0..2e10fa65e7 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - Printers
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Printers policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,8 +67,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
@@ -86,7 +88,7 @@ If you disable this policy setting:
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -94,20 +96,22 @@ If you disable this policy setting:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions_Win7*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
-
-
+
+
+
-
+
+
**Printers/PointAndPrintRestrictions_User**
-
+
Home
@@ -129,8 +133,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -138,8 +142,8 @@ ADMX Info:
-
-
+
+
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
@@ -159,7 +163,7 @@ If you disable this policy setting:
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -167,20 +171,22 @@ If you disable this policy setting:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions*
- GP path: *Control Panel/Printers*
- GP ADMX file name: *Printing.admx*
-
-
+
+
+
-
+
+
**Printers/PublishPrinters**
-
+
Home
@@ -202,8 +208,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -211,8 +217,8 @@ ADMX Info:
-
-
+
+
Determines whether the computer's shared printers can be published in Active Directory.
If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
@@ -221,7 +227,7 @@ If you disable this setting, this computer's shared printers cannot be published
Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -229,15 +235,15 @@ Note: This settings takes priority over the setting "Automatically publish new p
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow printers to be published*
- GP name: *PublishPrinters*
- GP path: *Printers*
- GP ADMX file name: *Printing2.admx*
-
-
+
+
Footnote:
@@ -246,5 +252,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 9c4392ca1c..c42149d2f1 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Privacy
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Privacy policies
Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
+
+
+Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
> [!Note]
> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -305,12 +307,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**Privacy/AllowInputPersonalization**
-
+
Home
@@ -332,8 +336,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -341,28 +345,28 @@ The following list shows the supported values:
-
-
-
Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
+
+
+Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
-
Most restricted value is 0.
-
+Most restricted value is 0.
-
+
The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
-
+
+
**Privacy/DisableAdvertisingId**
-
+
Home
@@ -384,8 +388,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -393,13 +397,13 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Enables or disables the Advertising ID.
+
+
+Added in Windows 10, version 1607. Enables or disables the Advertising ID.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -408,12 +412,14 @@ The following list shows the supported values:
- 65535 (default)- Not configured.
-
+
+
-
+
+
**Privacy/EnableActivityFeed**
-
+
Home
@@ -435,8 +441,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -444,11 +450,11 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed.
-
+
The following list shows the supported values:
@@ -456,12 +462,14 @@ The following list shows the supported values:
- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph.
-
+
+
-
+
+
**Privacy/LetAppsAccessAccountInfo**
-
+
Home
@@ -483,8 +491,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -492,25 +500,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -532,8 +545,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -541,17 +554,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+
-
-
@@ -573,8 +588,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -582,17 +597,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+
-
-
@@ -614,8 +631,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -623,17 +640,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessCalendar**
-
+
Home
@@ -655,8 +674,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -664,25 +683,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -704,8 +728,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -713,17 +737,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+
-
-
@@ -745,8 +771,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -754,17 +780,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+
-
-
@@ -786,8 +814,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -795,17 +823,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessCallHistory**
-
+
Home
@@ -827,8 +857,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -836,25 +866,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -876,8 +911,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -885,17 +920,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+
-
-
@@ -917,8 +954,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -926,17 +963,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+
-
-
@@ -958,8 +997,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -967,17 +1006,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessCamera**
-
+
Home
@@ -999,8 +1040,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1008,25 +1049,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1048,8 +1094,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1057,17 +1103,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+
-
-
@@ -1089,8 +1137,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1098,17 +1146,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+
-
-
@@ -1130,8 +1180,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1139,17 +1189,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessContacts**
-
+
Home
@@ -1171,8 +1223,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1180,25 +1232,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1220,8 +1277,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1229,17 +1286,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+
-
-
@@ -1261,8 +1320,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1270,17 +1329,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+
-
-
@@ -1302,8 +1363,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1311,17 +1372,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessEmail**
-
+
Home
@@ -1343,8 +1406,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1352,25 +1415,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1392,8 +1460,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1401,17 +1469,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
-
-
@@ -1433,8 +1503,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1442,17 +1512,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
-
-
@@ -1474,8 +1546,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1483,17 +1555,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessLocation**
-
+
Home
@@ -1515,8 +1589,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1524,25 +1598,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1564,8 +1643,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1573,17 +1652,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+
-
-
@@ -1605,8 +1686,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1614,17 +1695,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+
-
-
@@ -1646,8 +1729,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1655,17 +1738,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessMessaging**
-
+
Home
@@ -1687,8 +1772,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1696,25 +1781,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1736,8 +1826,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1745,17 +1835,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+
-
-
@@ -1777,8 +1869,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1786,17 +1878,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+
-
-
@@ -1818,8 +1912,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1827,17 +1921,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessMicrophone**
-
+
Home
@@ -1859,8 +1955,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1868,25 +1964,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1908,8 +2009,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1917,17 +2018,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+
-
-
@@ -1949,8 +2052,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1958,17 +2061,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+
-
-
@@ -1990,8 +2095,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1999,17 +2104,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessMotion**
-
+
Home
@@ -2031,8 +2138,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2040,25 +2147,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2080,8 +2192,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2089,17 +2201,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+
-
-
@@ -2121,8 +2235,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2130,17 +2244,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+
-
-
@@ -2162,8 +2278,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2171,17 +2287,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessNotifications**
-
+
Home
@@ -2203,8 +2321,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2212,25 +2330,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2252,8 +2375,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2261,17 +2384,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+
-
-
@@ -2293,8 +2418,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2302,17 +2427,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+
-
-
@@ -2334,8 +2461,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2343,17 +2470,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessPhone**
-
+
Home
@@ -2375,8 +2504,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2384,25 +2513,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2424,8 +2558,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2433,17 +2567,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+
-
-
@@ -2465,8 +2601,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2474,17 +2610,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+
-
-
@@ -2506,8 +2644,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2515,17 +2653,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessRadios**
-
+
Home
@@ -2547,8 +2687,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2556,25 +2696,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2596,8 +2741,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2605,17 +2750,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+
-
-
@@ -2637,8 +2784,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2646,17 +2793,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+
-
-
@@ -2678,8 +2827,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2687,17 +2836,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessTasks**
-
+
Home
@@ -2719,8 +2870,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2728,17 +2879,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+
+
+Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+
+
+
-
-
@@ -2760,8 +2913,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2769,17 +2922,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+
-
-
@@ -2801,8 +2956,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2810,17 +2965,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+
-
-
@@ -2842,8 +2999,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2851,17 +3008,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessTrustedDevices**
-
+
Home
@@ -2883,8 +3042,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2892,25 +3051,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2932,8 +3096,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2941,17 +3105,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+
-
-
@@ -2973,8 +3139,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2982,17 +3148,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+
-
-
@@ -3014,8 +3182,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3023,17 +3191,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsGetDiagnosticInfo**
-
+
Home
@@ -3055,8 +3225,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3064,25 +3234,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
+
+
+Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -3104,8 +3279,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3113,17 +3288,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+
-
-
@@ -3145,8 +3322,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3154,17 +3331,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+
-
-
@@ -3186,8 +3365,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3195,17 +3374,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsRunInBackground**
-
+
Home
@@ -3227,8 +3408,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3236,27 +3417,32 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
+
+
+Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+> [!WARNING]
+> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
+
+
+
+The following list shows the supported values:
- 0 – User in control (default).
- 1 – Force allow.
- 2 - Force deny.
-
Most restricted value is 2.
-> [!WARNING]
-> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
+
+
-
-
@@ -3278,8 +3464,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3287,17 +3473,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+
-
-
@@ -3319,8 +3507,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3328,17 +3516,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+
-
-
@@ -3360,8 +3550,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3369,17 +3559,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/LetAppsSyncWithDevices**
-
+
Home
@@ -3401,8 +3593,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3410,25 +3602,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -3450,8 +3647,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3459,17 +3656,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
-
-
@@ -3491,8 +3690,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3500,17 +3699,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
-
-
@@ -3532,8 +3733,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3541,17 +3742,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
-
-
-
+
+
**Privacy/PublishUserActivities**
-
+
Home
@@ -3573,8 +3776,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3582,11 +3785,11 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed.
-
+
The following list shows the supported values:
@@ -3594,7 +3797,7 @@ The following list shows the supported values:
- 1 – (default) Enabled. Apps/OS can publish the *user activities*.
-
+
Footnote:
@@ -3603,7 +3806,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Privacy policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 29f29a7267..79ab76a706 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - RemoteAssistance
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteAssistance policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -68,8 +70,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting lets you customize warning messages.
The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
@@ -82,7 +84,7 @@ If you disable this policy setting, the user sees the default warning message.
If you do not configure this policy setting, the user sees the default warning message.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -90,20 +92,22 @@ If you do not configure this policy setting, the user sees the default warning m
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Customize warning messages*
- GP name: *RA_Options*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
-
+
+
+
-
+
+
**RemoteAssistance/SessionLogging**
-
+
Home
@@ -125,8 +129,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -134,8 +138,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
If you enable this policy setting, log files are generated.
@@ -144,7 +148,7 @@ If you disable this policy setting, log files are not generated.
If you do not configure this setting, application-based settings are used.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -152,20 +156,22 @@ If you do not configure this setting, application-based settings are used.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on session logging*
- GP name: *RA_Logging*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
-
+
+
+
-
+
+
**RemoteAssistance/SolicitedRemoteAssistance**
-
+
Home
@@ -187,8 +193,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -196,8 +202,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
@@ -214,7 +220,7 @@ The "Select the method for sending email invitations" setting specifies which em
If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -222,20 +228,22 @@ If you enable this policy setting you should also enable appropriate firewall ex
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Configure Solicited Remote Assistance*
- GP name: *RA_Solicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
-
+
+
+
-
+
+
**RemoteAssistance/UnsolicitedRemoteAssistance**
-
+
Home
@@ -257,8 +265,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -266,8 +274,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
@@ -307,7 +315,7 @@ Port 135:TCP
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
Allow Remote Desktop Exception
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -315,15 +323,15 @@ Allow Remote Desktop Exception
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Configure Offer Remote Assistance*
- GP name: *RA_Unsolicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
-
+
+
Footnote:
@@ -332,5 +340,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index dc0834d71a..79615e7c27 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - RemoteDesktopServices
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteDesktopServices policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -74,8 +76,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
@@ -88,7 +90,7 @@ Note: You can limit which clients are able to connect remotely by using Remote D
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -96,20 +98,22 @@ You can limit the number of users who can connect simultaneously by configuring
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/ClientConnectionEncryptionLevel**
-
+
Home
@@ -131,8 +135,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -140,8 +144,8 @@ ADMX Info:
-
-
+
+
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
@@ -158,7 +162,7 @@ Important
FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -166,20 +170,22 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/DoNotAllowDriveRedirection**
-
+
Home
@@ -201,8 +207,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -210,8 +216,8 @@ ADMX Info:
-
-
+
+
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.
@@ -222,7 +228,7 @@ If you disable this policy setting, client drive redirection is always allowed.
If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -230,20 +236,22 @@ If you do not configure this policy setting, client drive redirection and Clipbo
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/DoNotAllowPasswordSaving**
-
+
Home
@@ -265,8 +273,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -274,15 +282,15 @@ ADMX Info:
-
-
+
+
Controls whether passwords can be saved on this computer from Remote Desktop Connection.
If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -290,20 +298,22 @@ If you disable this setting or leave it not configured, the user will be able to
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/PromptForPasswordUponConnection**
-
+
Home
@@ -325,8 +335,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -334,8 +344,8 @@ ADMX Info:
-
-
+
+
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
@@ -348,7 +358,7 @@ If you disable this policy setting, users can always log on to Remote Desktop Se
If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -356,20 +366,22 @@ If you do not configure this policy setting, automatic logon is not specified at
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/RequireSecureRPCCommunication**
-
+
Home
@@ -391,8 +403,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -400,8 +412,8 @@ ADMX Info:
-
-
+
+
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
@@ -414,7 +426,7 @@ If the status is set to Not Configured, unsecured communication is allowed.
Note: The RPC interface is used for administering and configuring Remote Desktop Services.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -422,15 +434,15 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
Footnote:
@@ -439,5 +451,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 315cac1258..609bfc4763 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - RemoteManagement
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteManagement policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -101,9 +103,10 @@ ms.date: 11/01/2017
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -111,20 +114,22 @@ ms.date: 11/01/2017
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP name: *AllowBasic_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowBasicAuthentication_Service**
-
+
Home
@@ -146,8 +151,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -155,9 +160,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -165,20 +171,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP name: *AllowBasic_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowCredSSPAuthenticationClient**
-
+
Home
@@ -200,8 +208,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -209,9 +217,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -219,20 +228,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowCredSSPAuthenticationService**
-
+
Home
@@ -254,8 +265,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -263,9 +274,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -273,20 +285,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowRemoteServerManagement**
-
+
Home
@@ -308,8 +322,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -317,9 +331,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -327,20 +342,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowUnencryptedTraffic_Client**
-
+
Home
@@ -362,8 +379,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -371,9 +388,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -381,20 +399,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowUnencryptedTraffic_Service**
-
+
Home
@@ -416,8 +436,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -425,9 +445,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -435,20 +456,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/DisallowDigestAuthentication**
-
+
Home
@@ -470,8 +493,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -479,9 +502,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -489,20 +513,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Digest authentication*
- GP name: *DisallowDigest*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/DisallowNegotiateAuthenticationClient**
-
+
Home
@@ -524,8 +550,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -533,9 +559,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -543,20 +570,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/DisallowNegotiateAuthenticationService**
-
+
Home
@@ -578,8 +607,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -587,9 +616,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -597,20 +627,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/DisallowStoringOfRunAsCredentials**
-
+
Home
@@ -632,8 +664,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -641,9 +673,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -651,20 +684,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**
-
+
Home
@@ -686,8 +721,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -695,9 +730,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -705,20 +741,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/TrustedHosts**
-
+
Home
@@ -740,8 +778,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -749,9 +787,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -759,20 +798,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Trusted Hosts*
- GP name: *TrustedHosts*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/TurnOnCompatibilityHTTPListener**
-
+
Home
@@ -794,8 +835,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -803,9 +844,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -813,20 +855,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/TurnOnCompatibilityHTTPSListener**
-
+
Home
@@ -848,8 +892,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -857,9 +901,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -867,15 +912,15 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
Footnote:
@@ -884,5 +929,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 1569a65e29..16adbb0e97 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - RemoteProcedureCall
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteProcedureCall policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -62,8 +64,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
@@ -74,7 +76,7 @@ If you do not configure this policy setting, it remains disabled. RPC clients w
Note: This policy will not be applied until the system is rebooted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -82,20 +84,22 @@ Note: This policy will not be applied until the system is rebooted.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
-
-
+
+
+
-
+
+
**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**
-
+
Home
@@ -117,8 +121,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -126,8 +130,8 @@ ADMX Info:
-
-
+
+
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
@@ -146,7 +150,7 @@ If you enable this policy setting, it directs the RPC server runtime to restrict
Note: This policy setting will not be applied until the system is rebooted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -154,15 +158,15 @@ Note: This policy setting will not be applied until the system is rebooted.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
-
-
+
+
Footnote:
@@ -171,5 +175,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index a9538c867b..5f9c72ad15 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - RemoteShell
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteShell policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -77,9 +79,10 @@ ms.date: 11/01/2017
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -87,20 +90,22 @@ ms.date: 11/01/2017
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/MaxConcurrentUsers**
-
+
Home
@@ -122,8 +127,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -131,9 +136,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -141,20 +147,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyIdleTimeout**
-
+
Home
@@ -176,8 +184,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -185,9 +193,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -195,20 +204,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify idle Timeout*
- GP name: *IdleTimeout*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyMaxMemory**
-
+
Home
@@ -230,8 +241,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -239,9 +250,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -249,20 +261,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyMaxProcesses**
-
+
Home
@@ -284,8 +298,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -293,9 +307,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -303,20 +318,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyMaxRemoteShells**
-
+
Home
@@ -338,8 +355,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -347,9 +364,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -357,20 +375,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyShellTimeout**
-
+
Home
@@ -392,8 +412,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -401,9 +421,10 @@ ADMX Info:
-
-
-
+
+
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -411,15 +432,15 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify Shell Timeout*
- GP name: *ShellTimeOut*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
Footnote:
@@ -428,5 +449,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
new file mode 100644
index 0000000000..8b0251476c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -0,0 +1,96 @@
+---
+title: Policy CSP - RestrictedGroups
+description: Policy CSP - RestrictedGroups
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 01/12/2018
+---
+
+# Policy CSP - RestrictedGroups
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## RestrictedGroups policies
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership.
+
+> [!Note]
+> This policy is only scoped to the Administrators group at this time.
+
+Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+
+> [!Note]
+> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 204a76ade1..616c8eb992 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/08/2018
+ms.date: 01/30/2018
---
# Policy CSP - Search
@@ -17,7 +17,7 @@ ms.date: 01/08/2018
-
+
## Search policies
Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
+
+
+Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Search/AllowCortanaInAAD**
-
+
Home
@@ -137,8 +143,8 @@ ms.date: 01/08/2018
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -146,31 +152,26 @@ ms.date: 01/08/2018
-
-
+
+
Added in Windows 10, next major update. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow..
-
+
The following list shows the supported values:
- 0 (default) - Not allowed. The Cortana consent page will not appear in AAD OOBE during setup.
- 1 - Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup.
-
-
+
-
-
-
-
-
-
+
+
**Search/AllowIndexingEncryptedStoresOrItems**
-
+
Home
@@ -192,8 +193,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -201,17 +202,17 @@ The following list shows the supported values:
-
-
-
Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
+
+
+Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
-
When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
+When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
-
When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
+When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -219,12 +220,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Search/AllowSearchToUseLocation**
-
+
Home
@@ -246,8 +249,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -255,13 +258,13 @@ The following list shows the supported values:
-
-
-
Specifies whether search can leverage location information.
+
+
+Specifies whether search can leverage location information.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -269,12 +272,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Search/AllowStoringImagesFromVisionSearch**
-
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -282,17 +287,19 @@ The following list shows the supported values:
-
-
-
This policy has been deprecated.
+
+
+This policy has been deprecated.
+
+
+
-
-
-
+
+
**Search/AllowUsingDiacritics**
-
+
Home
@@ -314,8 +321,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -323,24 +330,29 @@ The following list shows the supported values:
-
-
-
Allows the use of diacritics.
+
+
+Allows the use of diacritics.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
Most restricted value is 0.
+
+
-
-
-
+
+
**Search/AllowWindowsIndexer**
-
+
Home
@@ -362,8 +374,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -371,17 +383,19 @@ The following list shows the supported values:
-
-
-
Allow Windows indexer. Value type is integer.
+
+
+Allow Windows indexer. Value type is integer.
+
+
+
-
-
-
+
+
**Search/AlwaysUseAutoLangDetection**
-
+
Home
@@ -403,8 +417,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -412,24 +426,29 @@ The following list shows the supported values:
-
-
-
Specifies whether to always use automatic language detection when indexing content and properties.
+
+
+Specifies whether to always use automatic language detection when indexing content and properties.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
Most restricted value is 0.
+
+
-
-
-
+
+
**Search/DisableBackoff**
-
+
Home
@@ -451,8 +470,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -460,22 +479,26 @@ The following list shows the supported values:
-
-
-
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
+
+
+If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Disable.
- 1 – Enable.
-
-
+
+
+
@@ -497,8 +520,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -506,26 +529,30 @@ The following list shows the supported values:
-
-
-
This policy setting configures whether or not locations on removable drives can be added to libraries.
+
+
+This policy setting configures whether or not locations on removable drives can be added to libraries.
-
If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
+If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
-
If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
+If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Disable.
- 1 – Enable.
-
-
+
+
+
-
+
+
**Search/DoNotUseWebResults**
-
+
Home
@@ -547,8 +574,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -556,8 +583,8 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, next major update. Don't search the web or display web results in Search.
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search.
@@ -565,7 +592,7 @@ If you enable this policy setting, queries won't be performed on the web and web
If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.
-
+
The following list shows the supported values:
@@ -573,18 +600,14 @@ The following list shows the supported values:
- 1 (default) - Allowed. Queries will be performed on the web and web results will be displayed when a user performs a query in Search.
-
+
-
-
-
-
-
-
+
+
**Search/PreventIndexingLowDiskSpaceMB**
-
+
Home
@@ -606,8 +629,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -615,26 +638,30 @@ The following list shows the supported values:
-
-
-
Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
+
+
+Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
-
Enable this policy if computers in your environment have extremely limited hard drive space.
+Enable this policy if computers in your environment have extremely limited hard drive space.
-
When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
+When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Disable.
- 1 (default) – Enable.
-
-
+
+
+
-
+
+
**Search/PreventRemoteQueries**
-
+
Home
@@ -656,8 +683,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -665,22 +692,26 @@ The following list shows the supported values:
-
-
-
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
+
+
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Disable.
- 1 (default) – Enable.
-
-
+
+
+
-
+
+
**Search/SafeSearchPermissions**
-
+
Home
@@ -702,8 +733,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -711,23 +742,26 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies what level of safe search (filtering adult content) is required.
+Specifies what level of safe search (filtering adult content) is required.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Strict, highest filtering against adult content.
- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered).
-
Most restricted value is 0.
-
-
-
+
+
Footnote:
@@ -736,7 +770,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Search policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 41b61f3d9e..fa48adfe0d 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/16/2018
+ms.date: 01/30/2018
---
# Policy CSP - Security
@@ -17,7 +17,7 @@ ms.date: 01/16/2018
-
+
## Security policies
Specifies whether to allow the runtime configuration agent to install provisioning packages.
+
+
+Specifies whether to allow the runtime configuration agent to install provisioning packages.
-
+
The following list shows the supported values:
@@ -103,12 +105,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -130,8 +134,8 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy has been deprecated in Windows 10, version 1607
@@ -141,20 +145,24 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
@@ -176,8 +184,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -185,17 +193,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether the user is allowed to manually install root and intermediate CA certificates.
+Specifies whether the user is allowed to manually install root and intermediate CA certificates.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -203,12 +211,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -230,8 +240,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -239,11 +249,11 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow the runtime configuration agent to remove provisioning packages.
+
+
+Specifies whether to allow the runtime configuration agent to remove provisioning packages.
-
+
The following list shows the supported values:
@@ -251,12 +261,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Security/AntiTheftMode**
-
+
Home
@@ -278,8 +290,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -287,15 +299,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Allows or disallow Anti Theft Mode on the device.
+Allows or disallow Anti Theft Mode on the device.
-
+
The following list shows the supported values:
@@ -303,12 +315,14 @@ The following list shows the supported values:
- 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
-
+
+
-
+
+
**Security/ClearTPMIfNotReady**
-
+
Home
@@ -330,8 +344,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -339,14 +353,14 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
-
+
The following list shows the supported values:
@@ -354,12 +368,14 @@ The following list shows the supported values:
- 1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
-
+
+
-
+
+
**Security/ConfigureWindowsPasswords**
-
+
Home
@@ -381,8 +397,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -390,33 +406,30 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, next major update. Configures the use of passwords for Windows features.
> [!Note]
> This policy is only supported in Windows 10 S.
-
+
The following list shows the supported values:
- 0 -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features)
- 1- Allow passwords (Passwords continue to be allowed to be used for Windows features)
- 2- Default (Feature defaults as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords")
+
-
+
-
-
-
-
-
-
+
+
**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
+
Home
@@ -438,8 +451,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -447,28 +460,32 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
+Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
-
Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Encryption enabled.
- 1 – Encryption disabled.
-
-
+
+
+
-
+
+
**Security/RequireDeviceEncryption**
-
+
Home
@@ -481,17 +498,17 @@ The following list shows the supported values:
-
-
-
-
+
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -499,30 +516,32 @@ The following list shows the supported values:
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
+
+
+Allows enterprise to turn on internal storage encryption.
-
Allows enterprise to turn on internal storage encryption.
-
The following list shows the supported values:
-
-- 0 (default) – Encryption is not required.
-- 1 – Encryption is required.
-
-
Most restricted value is 1.
+Most restricted value is 1.
> [!IMPORTANT]
> If encryption has been enabled, it cannot be turned off by using this policy.
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – Encryption is not required.
+- 1 – Encryption is required.
+
+
+
+
@@ -544,8 +563,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -553,22 +572,26 @@ The following list shows the supported values:
-
-
-
Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
+
+
+Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Not required.
- 1 – Required.
-
-
+
+
+
@@ -590,8 +613,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -599,16 +622,12 @@ The following list shows the supported values:
-
-
-
Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
+
+
+Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
-
The following list shows the supported values:
-- 0 (default) – Not required.
-- 1 – Required.
-
-
Setting this policy to 1 (Required):
+Setting this policy to 1 (Required):
- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
@@ -617,10 +636,17 @@ The following list shows the supported values:
> We recommend that this policy is set to Required after MDM enrollment.
-
Most restricted value is 1.
+Most restricted value is 1.
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – Not required.
+- 1 – Required.
+
+
+
Footnote:
@@ -629,7 +655,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Security policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index eae7e34484..bd6a64ba12 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/19/2017
+ms.date: 01/30/2018
---
# Policy CSP - Settings
@@ -17,7 +17,7 @@ ms.date: 12/19/2017
-
+
## Settings policies
@@ -65,11 +65,13 @@ ms.date: 12/19/2017
+
-
+
+
**Settings/AllowAutoPlay**
-
+
Home
@@ -91,8 +93,8 @@ ms.date: 12/19/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -100,18 +102,18 @@ ms.date: 12/19/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change Auto Play settings.
+Allows the user to change Auto Play settings.
> [!NOTE]
> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
-
+
The following list shows the supported values:
@@ -119,12 +121,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowDataSense**
-
+
Home
@@ -146,8 +150,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -155,11 +159,11 @@ The following list shows the supported values:
-
-
-
Allows the user to change Data Sense settings.
+
+
+Allows the user to change Data Sense settings.
-
+
The following list shows the supported values:
@@ -167,12 +171,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowDateTime**
-
+
Home
@@ -194,8 +200,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -203,11 +209,11 @@ The following list shows the supported values:
-
-
-
Allows the user to change date and time settings.
+
+
+Allows the user to change date and time settings.
-
+
The following list shows the supported values:
@@ -215,12 +221,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowEditDeviceName**
-
+
Home
@@ -242,8 +250,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -251,11 +259,11 @@ The following list shows the supported values:
-
-
-
Allows editing of the device name.
+
+
+Allows editing of the device name.
-
+
The following list shows the supported values:
@@ -263,12 +271,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowLanguage**
-
+
Home
@@ -290,8 +300,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -299,15 +309,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change the language settings.
+Allows the user to change the language settings.
-
+
The following list shows the supported values:
@@ -315,12 +325,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowOnlineTips**
-
+
Home
@@ -342,8 +354,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -351,27 +363,21 @@ The following list shows the supported values:
-
-
+
+
Enables or disables the retrieval of online tips and help for the Settings app.
If disabled, Settings will not contact Microsoft content services to retrieve tips and help content.
-
-
-
-
+
+
-
-
-
-
-
-
+
+
**Settings/AllowPowerSleep**
-
+
Home
@@ -393,8 +399,8 @@ If disabled, Settings will not contact Microsoft content services to retrieve ti
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -402,15 +408,15 @@ If disabled, Settings will not contact Microsoft content services to retrieve ti
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change power and sleep settings.
+Allows the user to change power and sleep settings.
-
+
The following list shows the supported values:
@@ -418,12 +424,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowRegion**
-
+
Home
@@ -445,8 +453,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -454,15 +462,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change the region settings.
+Allows the user to change the region settings.
-
+
The following list shows the supported values:
@@ -470,12 +478,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowSignInOptions**
-
+
Home
@@ -497,8 +507,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -506,15 +516,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change sign-in options.
+Allows the user to change sign-in options.
-
+
The following list shows the supported values:
@@ -522,12 +532,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowVPN**
-
+
Home
@@ -549,8 +561,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -558,11 +570,11 @@ The following list shows the supported values:
-
-
-
Allows the user to change VPN settings.
+
+
+Allows the user to change VPN settings.
-
+
The following list shows the supported values:
@@ -570,12 +582,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowWorkplace**
-
+
Home
@@ -597,8 +611,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -606,15 +620,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows user to change workplace settings.
+Allows user to change workplace settings.
-
+
The following list shows the supported values:
@@ -622,12 +636,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowYourAccount**
-
+
Home
@@ -649,8 +665,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -658,11 +674,11 @@ The following list shows the supported values:
-
-
-
Allows user to change account settings.
+
+
+Allows user to change account settings.
-
+
The following list shows the supported values:
@@ -670,12 +686,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/ConfigureTaskbarCalendar**
-
+
Home
@@ -697,8 +715,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -706,24 +724,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – User will be allowed to configure the setting.
- 1 – Don't show additional calendars.
- 2 - Simplified Chinese (Lunar).
- 3 - Traditional Chinese (Lunar).
-
-
+
+
+
-
+
+
**Settings/PageVisibilityList**
-
+
Home
@@ -745,8 +767,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -754,17 +776,17 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
-
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
+The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
-
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
+If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
-
The format of the PageVisibilityList value is as follows:
+The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
- There are two variants: one that shows only the given pages and one which hides the given pages.
@@ -772,24 +794,26 @@ The following list shows the supported values:
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi".
-
The default value for this setting is an empty string, which is interpreted as show everything.
+The default value for this setting is an empty string, which is interpreted as show everything.
-
Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
+Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
-
Example 2, specifies that the wifi page should not be shown:
+Example 2, specifies that the wifi page should not be shown:
-
hide:wifi
+hide:wifi
-
To validate on Desktop, do the following:
+
+
+To validate on Desktop, do the following:
1. Open System Settings and verfiy that the About page is visible and accessible.
2. Configure the policy with the following string: "hide:about".
3. Open System Settings again and verify that the About page is no longer accessible.
-
-
+
+
Footnote:
@@ -798,7 +822,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Settings policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 8dbd4fe36b..f52bfb67a6 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - SmartScreen
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## SmartScreen policies
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
-
+
The following list shows the supported values:
@@ -77,12 +79,14 @@ The following list shows the supported values:
- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
-
+
+
@@ -104,8 +108,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -113,11 +117,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
-
+
The following list shows the supported values:
@@ -125,12 +129,14 @@ The following list shows the supported values:
- 1 – Turns on SmartScreen in Windows.
-
+
+
@@ -152,8 +158,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -161,11 +167,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
-
+
The following list shows the supported values:
@@ -173,7 +179,7 @@ The following list shows the supported values:
- 1 – Employees cannot ignore SmartScreen warnings and run malicious files.
-
+
Footnote:
@@ -182,5 +188,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index 0f87f58919..e5c27c3200 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Speech
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Speech policies
Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
+
+
+Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
-
+
The following list shows the supported values:
@@ -71,7 +73,7 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
Footnote:
@@ -80,5 +82,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 02f3b03e71..e8122802b3 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Start
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Start policies
Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -156,12 +158,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderDownloads**
-
+
Home
@@ -183,8 +187,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -192,11 +196,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -205,12 +209,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderFileExplorer**
-
+
Home
@@ -232,8 +238,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -241,11 +247,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -254,12 +260,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderHomeGroup**
-
+
Home
@@ -281,8 +289,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -290,11 +298,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -303,12 +311,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderMusic**
-
+
Home
@@ -330,8 +340,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -339,11 +349,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -352,12 +362,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderNetwork**
-
+
Home
@@ -379,8 +391,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -388,11 +400,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -401,12 +413,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
@@ -428,8 +442,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -437,11 +451,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -450,12 +464,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderPictures**
-
+
Home
@@ -477,8 +493,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -486,11 +502,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -499,12 +515,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderSettings**
-
+
Home
@@ -526,8 +544,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -535,11 +553,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -548,12 +566,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderVideos**
-
+
Home
@@ -575,8 +595,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -584,11 +604,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -597,12 +617,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/ForceStartSize**
-
+
Home
@@ -624,8 +646,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -633,29 +655,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Forces the start screen size.
+Forces the start screen size.
-
The following list shows the supported values:
+
+If there is policy configuration conflict, the latest configuration request is applied to the device.
+
+
+
+The following list shows the supported values:
- 0 (default) – Do not force size of Start.
- 1 – Force non-fullscreen size of Start.
- 2 - Force a fullscreen size of Start.
-
If there is policy configuration conflict, the latest configuration request is applied to the device.
+
+
-
-
-
+
+
**Start/HideAppList**
-
+
Home
@@ -677,8 +704,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -686,37 +713,42 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Allows IT Admins to configure Start by collapsing or removing the all apps list.
+Allows IT Admins to configure Start by collapsing or removing the all apps list.
> [!Note]
> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
-
The following list shows the supported values:
-- 0 (default) – None.
-- 1 – Hide all apps list.
-- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app.
-- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app.
-
-
To validate on Desktop, do the following:
+To validate on Desktop, do the following:
- 1 - Enable policy and restart explorer.exe
- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out.
- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out.
- 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out.
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – None.
+- 1 – Hide all apps list.
+- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app.
+- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app.
+
+
+
+
-
+
+
**Start/HideChangeAccountSettings**
-
+
Home
@@ -738,8 +770,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -747,16 +779,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify that "Change account settings" is not available.
-
-
+
The following list shows the supported values:
@@ -764,12 +791,21 @@ The following list shows the supported values:
- 1 - True (hide).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the user tile, and verify that "Change account settings" is not available.
+
+
+
+
-
+
+
**Start/HideFrequentlyUsedApps**
-
+
Home
@@ -791,8 +827,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -800,14 +836,23 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable "Show most used apps" in the Settings app.
2. Use some apps to get them into the most used group in Start.
@@ -816,20 +861,15 @@ The following list shows the supported values:
5. Check that "Show most used apps" Settings toggle is grayed out.
6. Check that most used apps do not appear in Start.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideHibernate**
-
+
Home
@@ -851,8 +891,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -860,19 +900,15 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
-
To validate on Laptop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify "Hibernate" is not available.
> [!NOTE]
> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
-
+
The following list shows the supported values:
@@ -880,12 +916,21 @@ The following list shows the supported values:
- 1 - True (hide).
-
+
+To validate on Laptop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the Power button, and verify "Hibernate" is not available.
+
+
+
+
-
+
+
**Start/HideLock**
-
+
Home
@@ -907,8 +952,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -916,16 +961,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify "Lock" is not available.
-
-
+
The following list shows the supported values:
@@ -933,12 +973,21 @@ The following list shows the supported values:
- 1 - True (hide).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the user tile, and verify "Lock" is not available.
+
+
+
+
-
+
+
**Start/HidePeopleBar**
-
+
Home
@@ -960,8 +1009,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -969,19 +1018,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
+
+
+Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
-
Value type is integer.
+Value type is integer.
+
+
+
-
-
-
+
+
**Start/HidePowerButton**
-
+
Home
@@ -1003,8 +1054,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1012,19 +1063,14 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, and verify the power button is not available.
-
-
+
The following list shows the supported values:
@@ -1032,12 +1078,21 @@ The following list shows the supported values:
- 1 - True (hide).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, and verify the power button is not available.
+
+
+
+
-
+
+
**Start/HideRecentJumplists**
-
+
Home
@@ -1059,8 +1114,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1068,14 +1123,23 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings.
2. Pin Photos to the taskbar, and open some images in the photos app.
@@ -1087,20 +1151,15 @@ The following list shows the supported values:
8. Repeat Step 2.
9. Right Click pinned photos app and verify that there is no jumplist of recent items.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideRecentlyAddedApps**
-
+
Home
@@ -1122,8 +1181,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1131,14 +1190,23 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable "Show recently added apps" in the Settings app.
2. Check if there are recently added apps in Start (if not, install some).
@@ -1147,20 +1215,15 @@ The following list shows the supported values:
5. Check that "Show recently added apps" Settings toggle is grayed out.
6. Check that recently added apps do not appear in Start.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideRestart**
-
+
Home
@@ -1182,8 +1245,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1191,29 +1254,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideShutDown**
-
+
Home
@@ -1235,8 +1302,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1244,29 +1311,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideSignOut**
-
+
Home
@@ -1288,8 +1359,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1297,29 +1368,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the user tile, and verify "Sign out" is not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideSleep**
-
+
Home
@@ -1341,8 +1416,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1350,29 +1425,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the Power button, and verify that "Sleep" is not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideSwitchAccount**
-
+
Home
@@ -1394,8 +1473,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1403,29 +1482,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the user tile, and verify that "Switch account" is not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideUserTile**
-
+
Home
@@ -1447,8 +1530,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1456,33 +1539,37 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Log off.
3. Log in, and verify that the user tile is gone from Start.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/ImportEdgeAssets**
-
+
Home
@@ -1504,8 +1591,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1513,32 +1600,36 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
+Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
> [!IMPORTANT]
> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
-
The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/en-us/windows/configuration/start-secondary-tiles).
+The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/en-us/windows/configuration/start-secondary-tiles).
-
To validate on Desktop, do the following:
+
+
+To validate on Desktop, do the following:
1. Set policy with an XML for Edge assets.
2. Set StartLayout policy to anything so that it would trigger the Edge assets import.
3. Sign out/in.
4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path.
-
-
+
+
+
-
+
+
**Start/NoPinningToTaskbar**
-
+
Home
@@ -1560,8 +1651,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1569,19 +1660,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Right click on a program pinned to taskbar.
-3. Verify that "Unpin from taskbar" menu does not show.
-4. Open Start and right click on one of the app list icons.
-5. Verify that More->Pin to taskbar menu does not show.
-
-
+
The following list shows the supported values:
@@ -1589,12 +1672,24 @@ The following list shows the supported values:
- 1 - True (pinning disabled).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Right click on a program pinned to taskbar.
+3. Verify that "Unpin from taskbar" menu does not show.
+4. Open Start and right click on one of the app list icons.
+5. Verify that More->Pin to taskbar menu does not show.
+
+
+
+
-
+
+
**Start/StartLayout**
-
+
Home
@@ -1616,8 +1711,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1626,17 +1721,17 @@ The following list shows the supported values:
-
-
+
+
> [!IMPORTANT]
> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope)
-
Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
+Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
-
For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar).
+For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar).
-
-
+
+
Footnote:
@@ -1645,5 +1740,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 57e64d4e9f..dbcdfe8bd5 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/13/2017
+ms.date: 01/30/2018
---
# Policy CSP - Storage
@@ -15,7 +15,7 @@ ms.date: 12/13/2017
-
+
## Storage policies
Added in Windows 10, version 1709. Allows disk health model updates.
+
+
+Added in Windows 10, version 1709. Allows disk health model updates.
-
The following list shows the supported values:
+
+Value type is integer.
+
+
+
+The following list shows the supported values:
- 0 - Do not allow
- 1 (default) - Allow
-
Value type is integer.
+
+
-
-
-
+
+
**Storage/EnhancedStorageDevices**
-
+
Home
@@ -102,8 +109,8 @@ ms.date: 12/13/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -111,15 +118,15 @@ ms.date: 12/13/2017
-
-
+
+
This policy setting configures whether or not Windows will activate an Enhanced Storage device.
If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -127,15 +134,15 @@ If you disable or do not configure this policy setting, Windows will activate un
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow Windows to activate Enhanced Storage devices*
- GP name: *TCGSecurityActivationDisabled*
- GP path: *System/Enhanced Storage Access*
- GP ADMX file name: *enhancedstorage.admx*
-
-
+
+
Footnote:
@@ -144,5 +151,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 909326c959..f45d4b3ddc 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/19/2017
+ms.date: 01/30/2018
---
# Policy CSP - System
@@ -17,7 +17,7 @@ ms.date: 12/19/2017
-
+
## System policies
@@ -68,11 +68,13 @@ ms.date: 12/19/2017
+
-
+
+
**System/AllowBuildPreview**
-
+
Home
@@ -94,8 +96,8 @@ ms.date: 12/19/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -103,29 +105,33 @@ ms.date: 12/19/2017
-
-
+
+
> [!NOTE]
> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
-
This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
+This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
-
If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
+If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
- 1 – Allowed. Users can make their devices available for downloading and installing preview software.
- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.
-
-
+
+
+
Specifies whether set general purpose device to be in embedded mode.
+
+
+Specifies whether set general purpose device to be in embedded mode.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -170,12 +176,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**System/AllowExperimentation**
-
+
Home
@@ -197,8 +205,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -206,28 +214,33 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is not supported in Windows 10, version 1607.
-
This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
+This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Disabled.
- 1 (default) – Permits Microsoft to configure device settings only.
- 2 – Allows Microsoft to conduct full experimentations.
-
Most restricted value is 0.
+
+
-
-
-
+
+
**System/AllowFontProviders**
-
+
Home
@@ -249,8 +262,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -258,22 +271,18 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
+
+
+Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
-
This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
+This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
-
This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
+This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
> [!Note]
> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
-
To verify if System/AllowFontProviders is set to true:
-
-- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
-
-
+
The following list shows the supported values:
@@ -281,12 +290,20 @@ The following list shows the supported values:
- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
-
+
+To verify if System/AllowFontProviders is set to true:
+
+- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
+
+
+
+
-
+
+
**System/AllowLocation**
-
+
Home
@@ -308,8 +325,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -317,31 +334,36 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow app access to the Location service.
+
+
+Specifies whether to allow app access to the Location service.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
+
+When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
+
+For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
+
+
+
+The following list shows the supported values:
- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off.
- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.
-
Most restricted value is 0.
+
+
-
While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
-
-
When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
-
-
For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
-
-
-
-
+
+
**System/AllowStorageCard**
-
+
Home
@@ -363,8 +385,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -372,13 +394,13 @@ The following list shows the supported values:
-
-
-
Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
+
+
+Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -386,12 +408,14 @@ The following list shows the supported values:
- 1 (default) – Allow a storage card.
-
+
+
-
+
+
**System/AllowTelemetry**
-
+
Home
@@ -413,8 +437,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -423,11 +447,11 @@ The following list shows the supported values:
-
-
-
Allow the device to send diagnostic and usage telemetry data, such as Watson.
+
+
+Allow the device to send diagnostic and usage telemetry data, such as Watson.
-
The following tables describe the supported values:
+The following tables describe the supported values:
Windows 8.1 Values:
@@ -500,15 +524,17 @@ Windows 10 Values:
> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
-
Most restricted value is 0.
+Most restricted value is 0.
+
+
+
-
-
-
+
+
**System/AllowUserToResetPhone**
-
+
Home
@@ -530,8 +556,8 @@ Windows 10 Values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -539,13 +565,13 @@ Windows 10 Values:
-
-
-
Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
+
+
+Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
orted values:
@@ -554,12 +580,14 @@ orted values:
- 1 (default) – Allowed to reset to factory default settings.
-
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -590,11 +618,11 @@ orted values:
-
-
+
+
N/A
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -602,18 +630,20 @@ N/A
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP name: *POL_DriverLoadPolicy_Name*
- GP ADMX file name: *earlylauncham.admx*
-
-
+
+
+
-
+
+
**System/DisableEnterpriseAuthProxy**
-
+
Home
@@ -635,8 +665,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -644,20 +674,19 @@ ADMX Info:
-
-
+
+
This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
-
-
+
+
-
-
-
+
+
**System/DisableOneDriveFileSync**
-
+
Home
@@ -679,8 +708,8 @@ This policy setting blocks the Connected User Experience and Telemetry service f
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -688,9 +717,9 @@ This policy setting blocks the Connected User Experience and Telemetry service f
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
+
+
+Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
* Users cannot access OneDrive from the OneDrive app or file picker.
* Microsoft Store apps cannot access OneDrive using the WinRT API.
@@ -698,15 +727,9 @@ This policy setting blocks the Connected User Experience and Telemetry service f
* OneDrive files are not kept in sync with the cloud.
* Users cannot automatically upload photos and videos from the camera roll folder.
-
If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Restart machine.
-3. Verify that OneDrive.exe is not running in Task Manager.
-
-
+
The following list shows the supported values:
@@ -714,12 +737,22 @@ The following list shows the supported values:
- 1 – True (sync disabled).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Restart machine.
+3. Verify that OneDrive.exe is not running in Task Manager.
+
+
+
+
-
+
+
**System/DisableSystemRestore**
-
+
Home
@@ -741,8 +774,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -750,8 +783,8 @@ The following list shows the supported values:
-
-
+
+
Allows you to disable System Restore.
This policy setting allows you to turn off System Restore.
@@ -764,7 +797,7 @@ If you disable or do not configure this policy setting, users can perform System
Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -772,20 +805,22 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off System Restore*
- GP name: *SR_DisableSR*
- GP path: *System/System Restore*
- GP ADMX file name: *systemrestore.admx*
-
-
+
+
+
-
+
+
**System/FeedbackHubAlwaysSaveDiagnosticsLocally**
-
+
Home
@@ -793,6 +828,8 @@ ADMX Info:
Business
Enterprise
Education
+
Mobile
+
Mobile Enterprise
4
@@ -800,11 +837,13 @@ ADMX Info:
4
4
4
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -812,11 +851,11 @@ ADMX Info:
-
-
+
+
Added in Windows 10, next major update. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations.
-
+
The following list shows the supported values:
@@ -824,18 +863,14 @@ The following list shows the supported values:
- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted.
-
+
-
-
-
-
-
-
+
+
**System/LimitEnhancedDiagnosticDataWindowsAnalytics**
-
+
Home
@@ -857,8 +892,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -866,30 +901,32 @@ The following list shows the supported values:
-
-
-
This policy setting, in combination with the System/AllowTelemetry
+
+
+This policy setting, in combination with the System/AllowTelemetry
policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
-
To enable this behavior you must complete two steps:
+To enable this behavior you must complete two steps:
Enable this policy setting
Set Allow Telemetry to level 2 (Enhanced)
-
When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594).
+When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594).
-
Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.
+Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.
-
If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
+If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
+
+
+
-
-
-
+
+
**System/TelemetryProxy**
-
+
Home
@@ -911,8 +948,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -920,14 +957,14 @@ The following list shows the supported values:
-
-
-
Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
+
+
+Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
-
If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
+If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
-
-
+
+
Footnote:
@@ -936,7 +973,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## System policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index c307f1e57f..7071a57f68 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 01/30/2018
---
# Policy CSP - SystemServices
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## SystemServices policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -76,26 +78,19 @@ ms.date: 01/03/2018
-
-
+
+
Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**SystemServices/ConfigureHomeGroupProviderServiceStartupMode**
-
+
Home
@@ -117,8 +112,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -126,26 +121,19 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode**
-
+
Home
@@ -167,8 +155,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -176,26 +164,19 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode**
-
+
Home
@@ -217,8 +198,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -226,26 +207,19 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode**
-
+
Home
@@ -267,8 +241,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -276,26 +250,19 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode**
-
+
Home
@@ -317,8 +284,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -326,21 +293,12 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
-
-
-
-
-
-
-
-
-
+
+
Footnote:
@@ -349,5 +307,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index 0a8f13c708..e55edde857 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 01/30/2018
---
# Policy CSP - TaskScheduler
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## TaskScheduler policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -61,21 +63,12 @@ ms.date: 01/03/2018
-
-
+
+
Added in Windows 10, next major update. This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
-
-
-
-
-
-
-
-
-
-
-
+
+
Footnote:
@@ -84,5 +77,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index d6e2d91c96..ef51165474 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/19/2017
+ms.date: 01/30/2018
---
# Policy CSP - TextInput
@@ -17,7 +17,7 @@ ms.date: 12/19/2017
-
+
## TextInput policies
@@ -65,11 +65,13 @@ ms.date: 12/19/2017
+
-
+
+
**TextInput/AllowIMELogging**
-
+
Home
@@ -91,8 +93,8 @@ ms.date: 12/19/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -100,17 +102,17 @@ ms.date: 12/19/2017
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
+Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -118,12 +120,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**TextInput/AllowIMENetworkAccess**
-
+
Home
@@ -145,8 +149,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -154,17 +158,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
+Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -172,12 +176,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**TextInput/AllowInputPanel**
-
+
Home
@@ -199,8 +205,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -208,17 +214,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the IT admin to disable the touch/handwriting keyboard on Windows.
+Allows the IT admin to disable the touch/handwriting keyboard on Windows.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -226,12 +232,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -253,8 +261,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -262,28 +270,33 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the Japanese IME surrogate pair characters.
+Allows the Japanese IME surrogate pair characters.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
@@ -305,8 +318,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -314,17 +327,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows Japanese Ideographic Variation Sequence (IVS) characters.
+Allows Japanese Ideographic Variation Sequence (IVS) characters.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -332,12 +345,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -359,8 +374,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -368,17 +383,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the Japanese non-publishing standard glyph.
+Allows the Japanese non-publishing standard glyph.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -386,12 +401,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -413,8 +430,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -422,17 +439,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the Japanese user dictionary.
+Allows the Japanese user dictionary.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -440,12 +457,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -467,8 +486,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -476,22 +495,16 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
+Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
-
Most restricted value is 0.
+Most restricted value is 0.
-
To validate that text prediction is disabled on Windows 10 for desktop, do the following:
-
-1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
-2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
-3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
-
-
+
The following list shows the supported values:
@@ -499,21 +512,33 @@ The following list shows the supported values:
- 1 (default) – Enabled.
-
+
+To validate that text prediction is disabled on Windows 10 for desktop, do the following:
+
+1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
+2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
+3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
+
+
+
+
-
+
+
**TextInput/AllowKoreanExtendedHanja**
-
-
This policy has been deprecated.
+
+This policy has been deprecated.
+
+
+
-
-
@@ -535,8 +560,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -544,17 +569,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the uninstall of language features, such as spell checkers, on a device.
+Allows the uninstall of language features, such as spell checkers, on a device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -562,12 +587,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -589,8 +616,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -598,8 +625,8 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, next major update. This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode.
The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up.
@@ -608,27 +635,22 @@ When this policy is enabled, the touch keyboard automatically shows up when the
This policy corresponds to "Show the touch keyboard when not in tablet mode and there's no keyboard attached" in the Settings app.
-
+
The following list shows the supported values:
- 0 (default) - Disabled.
- 1 - Enabled.
-
-
+
-
-
-
-
-
-
+
+
**TextInput/ExcludeJapaneseIMEExceptJIS0208**
-
+
Home
@@ -650,8 +672,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -659,26 +681,30 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the users to restrict character code range of conversion by setting the character filter.
+Allows the users to restrict character code range of conversion by setting the character filter.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – No characters are filtered.
- 1 – All characters except JIS0208 are filtered.
-
-
+
+
+
@@ -700,8 +726,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -709,26 +735,30 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the users to restrict character code range of conversion by setting the character filter.
+Allows the users to restrict character code range of conversion by setting the character filter.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – No characters are filtered.
- 1 – All characters except JIS0208 and EUDC are filtered.
-
-
+
+
+
@@ -750,8 +780,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -759,21 +789,23 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the users to restrict character code range of conversion by setting the character filter.
+Allows the users to restrict character code range of conversion by setting the character filter.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – No characters are filtered.
- 1 – All characters except ShiftJIS are filtered.
-
-
+
+
Footnote:
@@ -782,7 +814,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## TextInput policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 42221e6fde..c926c03e45 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - TimeLanguageSettings
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## TimeLanguageSettings policies
Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
+
+
+Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
-
+
The following list shows the supported values:
@@ -71,7 +73,7 @@ The following list shows the supported values:
- 1 (default) – Set 24 hour clock.
-
+
Footnote:
@@ -80,5 +82,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 6a8faf5e69..47a34b96dd 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/19/2017
+ms.date: 01/30/2018
---
# Policy CSP - Update
@@ -17,7 +17,7 @@ ms.date: 12/19/2017
-
+
## Update policies
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+
+
+Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
The default is 17 (5 PM).
+The default is 17 (5 PM).
+
+
+
-
-
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
+
+
+Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
-
Supported values are 8-18.
+Supported values are 8-18.
-
The default value is 18 (hours).
+The default value is 18 (hours).
+
+
+
-
-
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+
+
+Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
The default value is 8 (8 AM).
+The default value is 8 (8 AM).
+
+
+
-
-
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+
+
+Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+
+> [!IMPORTANT]
+> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
+
+
+If the policy is not configured, end-users get the default behavior (Auto install and restart).
+
+
+
+The following list shows the supported values:
- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
@@ -355,19 +375,15 @@ ms.date: 12/19/2017
- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
- 5 – Turn off automatic updates.
-> [!IMPORTANT]
-> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
-
+
+
-
If the policy is not configured, end-users get the default behavior (Auto install and restart).
-
-
-
Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.
-
-- 0 (default) - Not allowed
-- 1 - Allowed
+
+
+Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.
A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.
This policy is accessible through the Update setting in the user interface or Group Policy.
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) - Not allowed
+- 1 - Allowed
+
+
+
+
-
+
+
**Update/AllowMUUpdateService**
-
+
Home
@@ -437,8 +459,8 @@ This policy is accessible through the Update setting in the user interface or Gr
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -446,22 +468,26 @@ This policy is accessible through the Update setting in the user interface or Gr
-
-
-
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+
+
+Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed or not configured.
- 1 – Allowed. Accepts updates received through Microsoft Update.
-
-
+
+
+
@@ -483,8 +509,8 @@ This policy is accessible through the Update setting in the user interface or Gr
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -492,15 +518,15 @@ This policy is accessible through the Update setting in the user interface or Gr
-
-
-
Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
+
+
+Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
-
+
The following list shows the supported values:
@@ -508,12 +534,14 @@ The following list shows the supported values:
- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
-
+
+
-
+
+
**Update/AllowUpdateService**
-
+
Home
@@ -535,8 +563,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -544,18 +572,18 @@ The following list shows the supported values:
-
-
-
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
+
+
+Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
-
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store
+Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store
-
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
+Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
> [!NOTE]
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
-
+
The following list shows the supported values:
@@ -563,12 +591,14 @@ The following list shows the supported values:
- 1 (default) – Update service is allowed.
-
+
+
@@ -590,8 +620,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -599,21 +629,23 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
+
+
+Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is 7 days.
+The default value is 7 days.
+
+
+
-
-
@@ -635,8 +667,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -644,23 +676,25 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
-
The default value is 15 (minutes).
+The default value is 15 (minutes).
-
+
Supported values are 15, 30, 60, 120, and 240 (minutes).
-
+
+
@@ -682,8 +716,8 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -691,22 +725,26 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 1 (default) – Auto Dismissal.
- 2 – User Dismissal.
-
-
+
+
+
-
+
+
**Update/BranchReadinessLevel**
-
+
Home
@@ -728,8 +766,8 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -737,11 +775,11 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-
-
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+
+
+Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
-
+
The following list shows the supported values:
@@ -752,12 +790,48 @@ The following list shows the supported values:
- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel.
-
+
+
+
+
+
+Added in Windows 10, next major update. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
+
+
+
+
+
+
+
**Update/DeferFeatureUpdatesPeriodInDays**
-
+
Home
@@ -779,8 +853,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -788,24 +862,26 @@ The following list shows the supported values:
-
-
-
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+
+Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
+Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
-
Supported values are 0-365 days.
+Supported values are 0-365 days.
> [!IMPORTANT]
> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
-
-
+
+
+
@@ -827,8 +903,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -836,19 +912,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
+
+
+Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
-
Supported values are 0-30.
+Supported values are 0-30.
+
+
+
-
-
-
+
+
**Update/DeferUpdatePeriod**
-
+
Home
@@ -870,8 +948,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -879,24 +957,24 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
-
Allows IT Admins to specify update delays for up to 4 weeks.
+Allows IT Admins to specify update delays for up to 4 weeks.
-
Supported values are 0-4, which refers to the number of weeks to defer updates.
+Supported values are 0-4, which refers to the number of weeks to defer updates.
-
In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
+In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
- Update/RequireDeferUpgrade must be set to 1
- System/AllowTelemetry must be set to 1 or higher
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
OS upgrade:
- Maximum deferral: 8 months
@@ -976,13 +1054,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-->
-
-
+
+
+
-
+
+
**Update/DeferUpgradePeriod**
-
+
Home
@@ -1004,8 +1084,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1013,29 +1093,31 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
> [!NOTE]
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-
Allows IT Admins to specify additional upgrade delays for up to 8 months.
+Allows IT Admins to specify additional upgrade delays for up to 8 months.
-
Supported values are 0-8, which refers to the number of months to defer upgrades.
+Supported values are 0-8, which refers to the number of months to defer upgrades.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
+
-
-
-
+
+
**Update/DetectionFrequency**
-
+
Home
@@ -1057,8 +1139,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1066,17 +1148,19 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+
+
+Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+
+
+
-
-
-
+
+
**Update/DisableDualScan**
-
+
Home
@@ -1098,8 +1182,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1107,26 +1191,32 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
+
+
+Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
-
For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/).
+For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/).
+
+This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update."
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+The following list shows the supported values:
- 0 - allow scan against Windows Update
-- 1 - do not allow update deferral policies to cause scans against Windows Update
+- 1 - do not allow update deferral policies to cause scans against Windows Update
-
This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update."
+
+
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
-
-
+
+
**Update/EngagedRestartDeadline**
-
+
Home
@@ -1148,8 +1238,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1157,21 +1247,23 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is 0 days (not specified).
+The default value is 0 days (not specified).
+
+
+
-
-
-
+
+
**Update/EngagedRestartSnoozeSchedule**
-
+
Home
@@ -1193,8 +1285,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1202,21 +1294,23 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
-
Supported values are 1-3 days.
+Supported values are 1-3 days.
-
The default value is 3 days.
+The default value is 3 days.
+
+
+
-
-
@@ -1238,8 +1332,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1247,21 +1341,23 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is 7 days.
+The default value is 7 days.
+
+
+
-
-
@@ -1283,8 +1379,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1292,25 +1388,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
> [!NOTE]
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Allow Windows Update drivers.
- 1 – Exclude Windows Update drivers.
-
-
+
+
+
-
+
+
**Update/FillEmptyContentUrls**
-
+
Home
@@ -1332,8 +1432,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1341,25 +1441,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
+
+
+Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
> [!NOTE]
> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Disabled.
- 1 – Enabled.
-
-
+
+
+
-
+
+
**Update/IgnoreMOAppDownloadLimit**
-
+
Home
@@ -1381,8 +1485,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1390,15 +1494,23 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+
+
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
+
+
+The following list shows the supported values:
-
To validate this policy:
+- 0 (default) – Do not ignore MO download limit for apps and their updates.
+- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
+
+
+
+To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
@@ -1408,20 +1520,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
3. Verify that any downloads that are above the download size limit will complete without being paused.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – Do not ignore MO download limit for apps and their updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
-
-
-
-
+
+
**Update/IgnoreMOUpdateDownloadLimit**
-
+
Home
@@ -1443,8 +1550,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1452,23 +1559,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+
+
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
To validate this policy:
-
-1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
-
+
The following list shows the supported values:
@@ -1476,12 +1579,21 @@ The following list shows the supported values:
- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
-
+
+To validate this policy:
+
+1. Enable the policy and ensure the device is on a cellular network.
+2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+
+
+
+
-
+
+
**Update/ManagePreviewBuilds**
-
+
Home
@@ -1503,8 +1615,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1512,23 +1624,27 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer.
+
+
+Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 - Disable Preview builds
- 1 - Disable Preview builds once the next release is public
- 2 - Enable Preview builds
-
-
+
+
+
-
+
+
**Update/PauseDeferrals**
-
+
Home
@@ -1550,8 +1666,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1559,30 +1675,35 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
+Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
-
The following list shows the supported values:
+
+If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
+
+The following list shows the supported values:
- 0 (default) – Deferrals are not paused.
- 1 – Deferrals are paused.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
-
-
+
+
**Update/PauseFeatureUpdates**
-
+
Home
@@ -1604,8 +1725,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1613,25 +1734,29 @@ The following list shows the supported values:
-
-
-
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+
+Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Feature Updates are not paused.
- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
-
-
+
+
+
-
+
+
**Update/PauseFeatureUpdatesStartTime**
-
+
Home
@@ -1653,8 +1778,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1662,19 +1787,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
+
+
+Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+
+
-
-
-
+
+
**Update/PauseQualityUpdates**
-
+
Home
@@ -1696,8 +1823,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1705,22 +1832,26 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+
+
+Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Quality Updates are not paused.
- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
-
-
+
+
+
-
+
+
**Update/PauseQualityUpdatesStartTime**
-
+
Home
@@ -1742,8 +1873,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1751,36 +1882,32 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
+
+
+Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+
+
-
-
-
+
+
**Update/PhoneUpdateRestrictions**
-
-
This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead.
-
-
+
+This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead.
-
-
+
+
-
-
-
-
-
-
+
+
**Update/RequireDeferUpgrade**
-
+
Home
@@ -1802,8 +1929,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1811,26 +1938,30 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
Allows the IT admin to set a device to Semi-Annual Channel train.
+Allows the IT admin to set a device to Semi-Annual Channel train.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted).
- 1 – User gets upgrades from Semi-Annual Channel.
-
-
+
+
+
-
+
+
**Update/RequireUpdateApproval**
-
+
Home
@@ -1852,8 +1983,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1861,28 +1992,32 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
+Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not configured. The device installs all applicable updates.
- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
-
-
+
+
+
@@ -1904,8 +2039,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1913,23 +2048,25 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
-
The default value is 15 (minutes).
+The default value is 15 (minutes).
-
+
Supported values are 15, 30, or 60 (minutes).
-
+
+
-
+
+
**Update/ScheduleRestartWarning**
-
+
Home
@@ -1951,8 +2088,8 @@ Supported values are 15, 30, or 60 (minutes).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1960,27 +2097,29 @@ Supported values are 15, 30, or 60 (minutes).
-
-
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
-
The default value is 4 (hours).
+The default value is 4 (hours).
-
+
Supported values are 2, 4, 8, 12, or 24 (hours).
-
+
+
-
+
+
**Update/ScheduledInstallDay**
-
+
Home
@@ -2002,8 +2141,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2011,15 +2150,17 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Enables the IT admin to schedule the day of the update installation.
+
+
+Enables the IT admin to schedule the day of the update installation.
-
The data type is a integer.
+The data type is a integer.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Every day
- 1 – Sunday
@@ -2030,13 +2171,15 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
- 6 – Friday
- 7 – Saturday
-
-
+
+
+
-
+
+
**Update/ScheduledInstallEveryWeek**
-
+
Home
@@ -2058,8 +2201,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2067,21 +2210,23 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
@@ -2103,8 +2248,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2112,21 +2257,23 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every first week of the month
@@ -2148,8 +2295,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2157,21 +2304,23 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every fourth week of the month
@@ -2193,8 +2342,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2202,21 +2351,23 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every second week of the month
@@ -2238,8 +2389,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2247,21 +2398,23 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every third week of the month
@@ -2283,8 +2436,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2292,29 +2445,31 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
Enables the IT admin to schedule the time of the update installation.
+Enables the IT admin to schedule the time of the update installation.
-
The data type is a integer.
+The data type is a integer.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
+Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
-
The default value is 3.
+The default value is 3.
+
+
+
-
-
@@ -2336,8 +2491,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2345,22 +2500,26 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Enabled
- 1 – Disabled
-
-
+
+
+
-
+
+
**Update/SetEDURestart**
-
+
Home
@@ -2382,8 +2541,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2391,22 +2550,26 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
+
+
+Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 - not configured
- 1 - configured
-
-
+
+
+
-
+
+
**Update/UpdateServiceUrl**
-
+
Home
@@ -2428,8 +2591,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2437,20 +2600,24 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
-
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
+Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
+
+
Example
``` syntax
@@ -2469,13 +2636,15 @@ Example
```
-
-
+
+
+
-
+
+
**Update/UpdateServiceUrlAlternate**
-
+
Home
@@ -2497,8 +2666,8 @@ Example
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2506,23 +2675,23 @@ Example
-
-
-
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+
+
+Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
+To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
-
Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
-
-
+
+
Footnote:
@@ -2531,7 +2700,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Update policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 5a1943db52..b091456af0 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 01/30/2018
---
# Policy CSP - UserRights
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## UserRights policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -145,26 +147,19 @@ ms.date: 01/03/2018
-
-
+
+
This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/AccessFromNetwork**
-
+
Home
@@ -186,8 +181,8 @@ This user right is used by Credential Manager during Backup/Restore. No accounts
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -195,26 +190,19 @@ This user right is used by Credential Manager during Backup/Restore. No accounts
-
-
+
+
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/ActAsPartOfTheOperatingSystem**
-
+
Home
@@ -236,8 +224,8 @@ This user right determines which users and groups are allowed to connect to the
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -245,26 +233,19 @@ This user right determines which users and groups are allowed to connect to the
-
-
+
+
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/AllowLocalLogOn**
-
+
Home
@@ -286,8 +267,8 @@ This user right allows a process to impersonate any user without authentication.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -295,26 +276,19 @@ This user right allows a process to impersonate any user without authentication.
-
-
-This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/BackupFilesAndDirectories**
-
+
Home
@@ -336,8 +310,8 @@ This user right determines which users can log on to the computer. Note: Modifyi
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -345,26 +319,19 @@ This user right determines which users can log on to the computer. Note: Modifyi
-
-
+
+
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/ChangeSystemTime**
-
+
Home
@@ -386,8 +353,8 @@ This user right determines which users can bypass file, directory, registry, and
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -395,26 +362,19 @@ This user right determines which users can bypass file, directory, registry, and
-
-
+
+
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/CreateGlobalObjects**
-
+
Home
@@ -436,8 +396,8 @@ This user right determines which users and groups can change the time and date o
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -445,26 +405,19 @@ This user right determines which users and groups can change the time and date o
-
-
+
+
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/CreatePageFile**
-
+
Home
@@ -486,8 +439,8 @@ This security setting determines whether users can create global objects that ar
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -495,26 +448,19 @@ This security setting determines whether users can create global objects that ar
-
-
+
+
This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/CreatePermanentSharedObjects**
-
+
Home
@@ -536,8 +482,8 @@ This user right determines which users and groups can call an internal applicati
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -545,26 +491,19 @@ This user right determines which users and groups can call an internal applicati
-
-
+
+
This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/CreateSymbolicLinks**
-
+
Home
@@ -586,8 +525,8 @@ This user right determines which accounts can be used by processes to create a d
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -595,26 +534,19 @@ This user right determines which accounts can be used by processes to create a d
-
-
+
+
This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/CreateToken**
-
+
Home
@@ -636,8 +568,8 @@ This user right determines if the user can create a symbolic link from the compu
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -645,26 +577,19 @@ This user right determines if the user can create a symbolic link from the compu
-
-
+
+
This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/DebugPrograms**
-
+
Home
@@ -686,8 +611,8 @@ This user right determines which accounts can be used by processes to create a t
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -695,26 +620,19 @@ This user right determines which accounts can be used by processes to create a t
-
-
+
+
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/DenyAccessFromNetwork**
-
+
Home
@@ -736,8 +654,8 @@ This user right determines which users can attach a debugger to any process or t
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -745,26 +663,19 @@ This user right determines which users can attach a debugger to any process or t
-
-
+
+
This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/DenyLocalLogOn**
-
+
Home
@@ -786,8 +697,8 @@ This user right determines which users are prevented from accessing a computer o
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -795,26 +706,19 @@ This user right determines which users are prevented from accessing a computer o
-
-
+
+
This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/DenyRemoteDesktopServicesLogOn**
-
+
Home
@@ -836,8 +740,8 @@ This security setting determines which service accounts are prevented from regis
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -845,26 +749,19 @@ This security setting determines which service accounts are prevented from regis
-
-
+
+
This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/EnableDelegation**
-
+
Home
@@ -886,8 +783,8 @@ This user right determines which users and groups are prohibited from logging on
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -895,26 +792,19 @@ This user right determines which users and groups are prohibited from logging on
-
-
+
+
This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/GenerateSecurityAudits**
-
+
Home
@@ -936,8 +826,8 @@ This user right determines which users can set the Trusted for Delegation settin
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -945,26 +835,19 @@ This user right determines which users can set the Trusted for Delegation settin
-
-
+
+
This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/ImpersonateClient**
-
+
Home
@@ -986,8 +869,8 @@ This user right determines which accounts can be used by a process to add entrie
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -995,30 +878,23 @@ This user right determines which accounts can be used by a process to add entrie
-
-
+
+
Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
1) The access token that is being impersonated is for this user.
2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
3) The requested level is less than Impersonate, such as Anonymous or Identify.
Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/IncreaseSchedulingPriority**
-
+
Home
@@ -1040,8 +916,8 @@ Because of these factors, users do not usually need this user right. Warning: If
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1049,26 +925,19 @@ Because of these factors, users do not usually need this user right. Warning: If
-
-
+
+
This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/LoadUnloadDeviceDrivers**
-
+
Home
@@ -1090,8 +959,8 @@ This user right determines which accounts can use a process with Write Property
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1099,26 +968,19 @@ This user right determines which accounts can use a process with Write Property
-
-
+
+
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/LockMemory**
-
+
Home
@@ -1140,8 +1002,8 @@ This user right determines which users can dynamically load and unload device dr
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1149,26 +1011,19 @@ This user right determines which users can dynamically load and unload device dr
-
-
+
+
This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/ManageAuditingAndSecurityLog**
-
+
Home
@@ -1190,8 +1045,8 @@ This user right determines which accounts can use a process to keep data in phys
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1199,26 +1054,19 @@ This user right determines which accounts can use a process to keep data in phys
-
-
+
+
This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/ManageVolume**
-
+
Home
@@ -1240,8 +1088,8 @@ This user right determines which users can specify object access auditing option
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1249,26 +1097,19 @@ This user right determines which users can specify object access auditing option
-
-
+
+
This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/ModifyFirmwareEnvironment**
-
+
Home
@@ -1290,8 +1131,8 @@ This user right determines which users and groups can run maintenance tasks on a
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1299,26 +1140,19 @@ This user right determines which users and groups can run maintenance tasks on a
-
-
+
+
This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/ModifyObjectLabel**
-
+
Home
@@ -1340,8 +1174,8 @@ This user right determines who can modify firmware environment values. Firmware
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1349,26 +1183,19 @@ This user right determines who can modify firmware environment values. Firmware
-
-
+
+
This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/ProfileSingleProcess**
-
+
Home
@@ -1390,8 +1217,8 @@ This user right determines which user accounts can modify the integrity label of
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1399,26 +1226,19 @@ This user right determines which user accounts can modify the integrity label of
-
-
+
+
This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/RemoteShutdown**
-
+
Home
@@ -1440,8 +1260,8 @@ This user right determines which users can use performance monitoring tools to m
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1449,26 +1269,19 @@ This user right determines which users can use performance monitoring tools to m
-
-
+
+
This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/RestoreFilesAndDirectories**
-
+
Home
@@ -1490,8 +1303,8 @@ This user right determines which users are allowed to shut down a computer from
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1499,26 +1312,19 @@ This user right determines which users are allowed to shut down a computer from
-
-
+
+
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**UserRights/TakeOwnership**
-
+
Home
@@ -1540,8 +1346,8 @@ This user right determines which users can bypass file, directory, registry, and
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1549,21 +1355,12 @@ This user right determines which users can bypass file, directory, registry, and
-
-
+
+
This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
-
-
-
-
-
-
-
-
-
-
-
+
+
Footnote:
@@ -1572,5 +1369,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index eb5a2581ab..8fa7a54082 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Wifi
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Wifi policies
@@ -42,20 +42,24 @@ ms.date: 12/14/2017
+
-
+
+
**WiFi/AllowWiFiHotSpotReporting**
-
-
This policy has been deprecated.
+
+This policy has been deprecated.
+
+
+
-
-
Allow or disallow the device to automatically connect to Wi-Fi hotspots.
+
+
+Allow or disallow the device to automatically connect to Wi-Fi hotspots.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -100,12 +104,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Wifi/AllowInternetSharing**
-
+
Home
@@ -127,8 +133,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -136,13 +142,13 @@ The following list shows the supported values:
-
-
-
Allow or disallow internet sharing.
+
+
+Allow or disallow internet sharing.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -150,12 +156,14 @@ The following list shows the supported values:
- 1 (default) – Allow the use of Internet Sharing.
-
+
+
-
+
+
**Wifi/AllowManualWiFiConfiguration**
-
+
Home
@@ -177,8 +185,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -186,16 +194,16 @@ The following list shows the supported values:
-
-
-
Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
+
+
+Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
-
Most restricted value is 0.
+Most restricted value is 0.
> [!NOTE]
> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
-
+
The following list shows the supported values:
@@ -203,12 +211,14 @@ The following list shows the supported values:
- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.
-
+
+
-
+
+
**Wifi/AllowWiFi**
-
+
Home
@@ -230,8 +240,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -239,13 +249,13 @@ The following list shows the supported values:
-
-
-
Allow or disallow WiFi connection.
+
+
+Allow or disallow WiFi connection.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -253,12 +263,14 @@ The following list shows the supported values:
- 1 (default) – WiFi connection is allowed.
-
+
+
-
+
+
**Wifi/AllowWiFiDirect**
-
+
Home
@@ -280,8 +292,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -289,11 +301,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allow WiFi Direct connection..
+
+
+Added in Windows 10, version 1703. Allow WiFi Direct connection..
-
+
The following list shows the supported values:
@@ -301,12 +313,14 @@ The following list shows the supported values:
- 1 - WiFi Direct connection is allowed.
-
+
+
-
+
+
**Wifi/WLANScanMode**
-
+
Home
@@ -328,8 +342,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -337,18 +351,18 @@ The following list shows the supported values:
-
-
-
Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
+
+
+Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
-
Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
+Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
-
The default value is 0.
+The default value is 0.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
-
+
+
Footnote:
@@ -357,7 +371,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Wifi policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index 9f6fc9eb28..65c25b116e 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/29/2017
+ms.date: 01/30/2018
---
# Policy CSP - WindowsDefenderSecurityCenter
@@ -17,7 +17,7 @@ ms.date: 12/29/2017
-
+
## WindowsDefenderSecurityCenter policies
Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options.
+
+
+Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options.
-
Value type is string. Supported operations are Add, Get, Replace and Delete.
+Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+
+
-
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -158,31 +162,26 @@ ms.date: 12/29/2017
-
-
+
+
Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
Valid values:
- 0 - (Disable) The users can see the display of the Account protection area in Windows Defender Security Center.
- 1 - (Enable) The users cannot see the display of the Account protection area in Windows Defender Security Center.
-
-
-
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/DisableAppBrowserUI**
-
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) The users can see the display of the app and browser protection area in Windows Defender Security Center.
- 1 - (Enable) The users cannot see the display of the app and browser protection area in Windows Defender Security Center.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -259,31 +264,26 @@ Valid values:
-
-
+
+
Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
Valid values:
- 0 - (Disable) The users can see the display of the Device security area in Windows Defender Security Center.
- 1 - (Enable) The users cannot see the display of the Device secuirty area in Windows Defender Security Center.
-
-
-
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/DisableEnhancedNotifications**
-
+
Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
+
+
+Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
> [!Note]
> If Suppress notification is enabled then users will not see critical or non-critical messages.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) Windows Defender Security Center will display critical and non-critical notifications to users..
- 1 - (Enable) Windows Defender Security Center only display notifications which are considered critical on clients.
-
-
+
+
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) The users can see the display of the family options area in Windows Defender Security Center.
- 1 - (Enable) The users cannot see the display of the family options area in Windows Defender Security Center.
-
-
+
+
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) The users can see the display of the device performance and health area in Windows Defender Security Center.
- 1 - (Enable) The users cannot see the display of the device performance and health area in Windows Defender Security Center.
-
-
+
+
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) The users can see the display of the firewall and network protection area in Windows Defender Security Center.
- 1 - (Enable) The users cannot see the display of the firewall and network protection area in Windows Defender Security Center.
-
-
+
+
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) The users can see the display of Windows Defender Security Center notifications.
- 1 - (Enable) The users cannot see the display of Windows Defender Security Center notifications.
-
-
+
+
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) The users can see the display of the virus and threat protection area in Windows Defender Security Center.
- 1 - (Enable) The users cannot see the display of the virus and threat protection area in Windows Defender Security Center.
-
-
+
+
+
Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area.
+
+
+Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete.Valid values:
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) Local users are allowed to make changes in the exploit protection settings area.
- 1 - (Enable) Local users cannot make changes in the exploit protection settings area.
-
-
+
+
+
Added in Windows 10, version 1709. The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+
+
+Added in Windows 10, version 1709. The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
-
Value type is string. Supported operations are Add, Get, Replace and Delete.
+Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+
+
-
-
Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
+
+
+Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete. Valid values:
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) Notifications contain a default notification text.
- 1 - (Enable) Notifications contain the company name and contact options.
-
-
+
+
+
Added in Windows 10, version 1709. Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
+
+
+Added in Windows 10, version 1709. Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete. Valid values:
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+The following list shows the supported values:
- 0 - (Disable) Do not display the company name and contact options in the card fly out notification.
- 1 - (Enable) Display the company name and contact options in the card fly out notification.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -774,30 +830,26 @@ Valid values:
-
-
+
+
Added in Windows 10, next major update. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center.
+
+
Valid values:
- 0 - (Disable or not configured) The Ransomware data recovery area will be visible.
-- 1 - (Enable) The Ransomware data recovery area is hidden.
-
-
+- 1 - (Enable) The Ransomware data recovery area is hidden.
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/HideSecureBoot**
-
+
Home
@@ -819,8 +871,8 @@ Valid values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -828,30 +880,26 @@ Valid values:
-
-
+
+
Added in Windows 10, next major update. Use this policy to hide the Secure boot area in the Windows Defender Security Center.
+
+
Valid values:
- 0 - (Disable or not configured) The Secure boot area is displayed.
- 1 - (Enable) The Secure boot area is hidden.
-
-
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/HideTPMTroubleshooting**
-
+
Home
@@ -873,8 +921,8 @@ Valid values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -882,30 +930,26 @@ Valid values:
-
-
+
+
Added in Windows 10, next major update. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center.
+
+
Valid values:
- 0 - (Disable or not configured) The Security processor (TPM) troubleshooting area is displayed.
- 1 - (Enable) The Security processor (TPM) troubleshooting area is hidden.
-
-
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/Phone**
-
+
Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+
+
+Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
-
-
Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
+
+
+Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
-
Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Footnote:
@@ -995,5 +1041,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index eea3c2b2c4..0b0a6104d4 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - WindowsInkWorkspace
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## WindowsInkWorkspace policies
Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
+
+
+Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
-
+
The following list shows the supported values:
@@ -74,12 +76,14 @@ The following list shows the supported values:
- 1 (default) -allow app suggestions.
-
+
+
@@ -101,8 +105,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -110,18 +114,20 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
+
+
+Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
-
Value type is int. The following list shows the supported values:
+
+
+Value type is int. The following list shows the supported values:
- 0 - access to ink workspace is disabled. The feature is turned off.
- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
-
-
+
+
Footnote:
@@ -130,5 +136,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 2a237c5b45..513b783cee 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - WindowsLogon
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## WindowsLogon policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,15 +67,15 @@ ms.date: 12/14/2017
-
-
+
+
This policy setting allows you to prevent app notifications from appearing on the lock screen.
If you enable this policy setting, no app notifications are displayed on the lock screen.
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -81,20 +83,22 @@ If you disable or do not configure this policy setting, users can choose which a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off app notifications on the lock screen*
- GP name: *DisableLockScreenAppNotifications*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
-
-
+
+
+
-
+
+
**WindowsLogon/DontDisplayNetworkSelectionUI**
-
+
Home
@@ -116,8 +120,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -125,15 +129,15 @@ ADMX Info:
-
-
+
+
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -141,20 +145,22 @@ If you disable or don't configure this policy setting, any user can disconnect t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not display network selection UI*
- GP name: *DontDisplayNetworkSelectionUI*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
-
-
+
+
+
-
+
+
**WindowsLogon/HideFastUserSwitching**
-
+
Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
+
+
+Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Verify that the Switch account button in Start is hidden.
-
-
+
The following list shows the supported values:
@@ -202,7 +203,14 @@ The following list shows the supported values:
- 1 - Enabled (hidden).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Verify that the Switch account button in Start is hidden.
+
+
+
Footnote:
@@ -211,5 +219,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index a6b8d30818..5830a05aa4 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - WirelessDisplay
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## WirelessDisplay policies
Added in Windows 10, version 1709. This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement.
-
+
The following list shows the supported values:
@@ -92,12 +94,14 @@ The following list shows the supported values:
- 1 - Allow
-
+
+
-
+
+
**WirelessDisplay/AllowMdnsDiscovery**
-
+
Home
@@ -119,8 +123,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -128,11 +132,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery.
-
+
The following list shows the supported values:
@@ -140,12 +144,14 @@ The following list shows the supported values:
- 1 - Allow
-
+
+
@@ -167,8 +173,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -176,11 +182,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
+
+
+Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
-
+
The following list shows the supported values:
@@ -188,12 +194,14 @@ The following list shows the supported values:
- 1 - your PC can discover and project to other devices
-
+
+
@@ -215,8 +223,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -224,11 +232,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
+
+
+Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
-
+
The following list shows the supported values:
@@ -236,12 +244,14 @@ The following list shows the supported values:
- 1 - your PC can discover and project to other devices over infrastructure.
-
+
+
-
+
+
**WirelessDisplay/AllowProjectionToPC**
-
+
Home
@@ -263,8 +273,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -272,15 +282,15 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
+
+
+Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
-
If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
+If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-
Value type is integer.
+Value type is integer.
-
+
The following list shows the supported values:
@@ -288,12 +298,14 @@ The following list shows the supported values:
- 1 (default) - projection to PC is allowed. Enabled only above the lock screen.
-
+
+
@@ -315,8 +327,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -324,11 +336,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
+
+
+Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
-
+
The following list shows the supported values:
@@ -336,12 +348,14 @@ The following list shows the supported values:
- 1 - your PC is discoverable and other devices can project to it over infrastructure.
-
+
+
-
+
+
**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
-
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -349,11 +363,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device.
+
+
+Added in Windows 10, version 1703. Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device.
-
+
The following list shows the supported values:
@@ -361,12 +375,14 @@ The following list shows the supported values:
- 1 (default) - Wireless display input enabled.
-
+
+
@@ -388,8 +404,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -397,15 +413,15 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
+
+
+Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
-
If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
+If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-
Value type is integer.
+Value type is integer.
-
+
The following list shows the supported values:
@@ -413,7 +429,7 @@ The following list shows the supported values:
- 1 - PIN is required.
-
+
Footnote:
@@ -422,5 +438,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 96c6d01d65..5f2c4def03 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/13/2017
+ms.date: 01/29/2018
---
# RemoteWipe CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
The following diagram shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
@@ -45,14 +48,27 @@ Supported operation is Exec.
**doWipePersistUserData**
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
-## The Remote Wipe Process
+**AutomaticRedeployment**
+Added in Windows 10, next major update. Node for the Automatic Redeployment operation.
+**AutomaticRedeployment/doAutomaticRedeployment**
+Added in Windows 10, next major update. Exec on this node triggers Automatic Redeployment operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
-The remote wipe command is sent as an XML provisioning file to the device. Since the RemoteWipe Configuration Service Provider uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning.
+**AutomaticRedeployment/LastError**
+Added in Windows 10, next major update. Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
-In Windows 10 Mobile, the remote wipe command is implemented on the device by using the **ResetPhone** function. On the desktop, the remote wipe triggers the **Reset this PC** functionality with the **Remove everything** option.
+**AutomaticRedeployment/Status**
+Added in Windows 10, next major update. Status value indicating current state of an Automatic Redeployment operation.
-> **Note** On the desktop, the remote wipe effectively performs a factory reset and the PC does not retain any information about the command once the wipe completes. Any response from the device about the actual status or result of the command may be inconsistent and unreliable because the MDM information has been removed.
+Supported values:
+
+- 0: Never run (not started). The default state.
+- 1: Complete.
+- 10: Reset has been scheduled.
+- 20: Reset is scheduled and waiting for a reboot.
+- 30: Failed during CSP Execute ("Exec" in SyncML).
+- 40: Failed: power requirements not met.
+- 50: Failed: reset internals failed during reset attempt.
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index c85f6ef82b..7d411543b5 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 01/29/2018
---
# RemoteWipe DDF file
@@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the DDF for Windows 10, version 1709.
+The XML below is the DDF for Windows 10, next major update.
``` syntax
@@ -43,7 +43,7 @@ The XML below is the DDF for Windows 10, version 1709.
-
+ com.microsoft/1.1/MDM/RemoteWipeThe root node for remote wipe function.
@@ -131,8 +131,94 @@ The XML below is the DDF for Windows 10, version 1709.
Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+
+ AutomaticRedeployment
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ doAutomaticRedeployment
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LastError
+
+
+
+
+ 0
+ Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Status
+
+
+
+
+ 0
+ Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
```
## Related topics
diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
index bb8e58dd2c..465bbd98f8 100644
--- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
+++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
@@ -1,6 +1,6 @@
---
-title: REST API reference for Micosoft Store for Business
-description: REST API reference for Micosoft Store for Business
+title: REST API reference for Microsoft Store for Business
+description: REST API reference for Microsoft Store for Business
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'
@@ -13,7 +13,7 @@ author: nickbrower
ms.date: 09/18/2017
---
-# REST API reference for Micosoft Store for Business
+# REST API reference for Microsoft Store for Business
Here's the list of available operations:
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index a86a8fef94..5fa0f29fa7 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -12,7 +12,7 @@ ms.date: 11/01/2017
# TPMPolicy CSP
-The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
+The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
The TPMPolicy CSP was added in Windows 10, version 1703.
@@ -30,7 +30,7 @@ The following diagram shows the TPMPolicy configuration service provider in tree
There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected.
There should be no traffic during installation of Windows and first logon when local ID is used.
Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.
-
Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.
+
Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, etc.) to Microsoft.
Here is an example:
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 929b649c67..f88849e2b1 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -131,6 +131,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2
+
]]>
+
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 5999ebee5e..4e19920eef 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -77,7 +77,7 @@ The following list describes the characteristics and parameters.
Supported operations are Get and Replace.
**Configuration/TelemetryReportingFrequency**
-
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection telemetry reporting frequency.
+
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
The following list shows the supported values:
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index a47fcba793..d475e14ee4 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -227,7 +227,7 @@ The XML below is the current version for this CSP.
1
- Return or set Windows Defender Advanced Threat Protection telemetry reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite
+ Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 47b499d041..6b6afaec07 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -83,6 +83,9 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
**InstallWindowsDefenderApplicationGuard**
Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
+- Install - Will initiate feature install
+- Uninstall - Will initiate feature uninstall
+
**Audit**
Interior node. Supported operation is Get
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index a9a6a0cd75..1743b24de5 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -260,7 +260,6 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=
[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=new-policies-for-windows-10.md).
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index f0535dc3e4..a330013d0d 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -2,7 +2,7 @@
title: Windows 10 Mobile deployment and management guide (Windows 10)
description: This guide helps IT professionals plan for and deploy Windows 10 Mobile devices.
ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E
-keywords: Mobile, telemetry, BYOD, MDM
+keywords: Mobile, diagnostic data, BYOD, MDM
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -14,7 +14,8 @@ ms.date: 09/21/2017
# Windows 10 Mobile deployment and management guide
-*Applies to: Windows 10 Mobile, version 1511 and Windows 10 Mobile, version 1607*
+**Applies to:**
+- Windows 10 Mobile, version 1511 and Windows 10 Mobile, version 1607
This guide helps IT professionals plan for and deploy Windows 10 Mobile devices.
@@ -189,7 +190,7 @@ Multiple MDM systems support Windows 10 and most support personal and corporate
In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://technet.microsoft.com/en-us/library/ms.o365.cc.devicepolicy.aspx).
**Cloud services**
-On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
+On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect diagnostic and usage data. Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
**Windows Push Notification Services**
The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient and dependable way.
@@ -795,9 +796,9 @@ While Windows 10 Mobile provides updates directly to user devices from Windows U
Upgrading to Windows 10 Mobile Enterprise edition provides additional device and app management capabilities for organizations that want to:
- **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 Mobile Enterprise edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released.
- **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 Mobile Enterprise is required.
-- **Set the telemetry level:** Microsoft collects telemetry data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the telemetry level so that only telemetry information required to keep devices secured is gathered.
+- **Set the diagnostic data level:** Microsoft collects diagnostic data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the diagnostic data level so that only diagnostic information required to keep devices secured is gathered.
-To learn more about telemetry, visit [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
+To learn more about diagnostic, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
To activate Windows 10 Mobile Enterprise, use your MDM system or a provisioning package to inject the Windows 10 Enterprise license on a Windows 10 Mobile device. Licenses can be obtained from the Volume Licensing portal. For testing purposes, you can obtain a licensing file from the MSDN download center. A valid MSDN subscription is required.
@@ -1007,17 +1008,17 @@ The following list shows examples of the Windows 10 Mobile software and hardware
- **Secure Boot state** Indicates whether Secure Boot is enabled
- **Enterprise encryption policy compliance** Indicates whether the device is encrypted
-### Manage telemetry
+### Manage diagnostic data
*Applies to: Corporate devices with Windows 10 Mobile Enterprise edition*
-Microsoft uses telemetry (diagnostics, performance, and usage data) from Windows devices to help inform decisions and focus efforts to provide the most robust and valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry helps keep Windows devices healthy, improve the operating system, and personalize features and services.
+Microsoft uses diagnostics, performance, and usage data from Windows devices to help inform decisions and focus efforts to provide the most robust and valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data helps keep Windows devices healthy, improve the operating system, and personalize features and services.
-You can control the level of data that telemetry systems collect. To configure devices, specify one of these levels in the Allow Telemetry setting with your MDM system.
+You can control the level of data that diagnostic data systems collect. To configure devices, specify one of these levels in the Allow Telemetry setting with your MDM system.
-For more information, see [Configure Windows telemetry in Your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
+For more information, see [Configure Windows diagnostic data in Your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
->**Note:** Telemetry can only be managed when the device is upgraded to Windows 10 Mobile Enterprise edition.
+>**Note:** Diagnostic data can only be managed when the device is upgraded to Windows 10 Mobile Enterprise edition.
### Remote assistance
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index 176d1ca1c4..2542a03b63 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -1,11 +1,13 @@
# [Configure Windows 10](index.md)
-## [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
-## [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-telemetry-windows-analytics-events-and-fields.md)
+## [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
-## [Windows 10 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md)
+## [Windows 10 diagnostic data for the Full diagnostic data level](windows-diagnostic-data-1703.md)
## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+## [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md)
## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
index cf42ebfdaf..d6c2534f87 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1,7 +1,7 @@
---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
-keywords: privacy, telemetry
+keywords: privacy, diagnostic data
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -24,7 +24,7 @@ The Basic level gathers a limited set of information that is critical for unders
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. You can learn more about Windows functional and diagnostic data through these articles:
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-- [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
>[!Note]
>Updated November 2017 to document new and modified events. We’ve added some new events and also added new fields to existing events to prepare for upgrades to the next release of Windows.
@@ -88,12 +88,12 @@ The following fields are available:
- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
- **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
- **iKey** Represents an ID for applications or other logical groupings of events.
-- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
- **os** Represents the operating system name.
- **osVer** Represents the OS version, and its format is OS dependent.
- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
### Common Data Extensions.OS
@@ -135,7 +135,7 @@ The following fields are available:
### Common Data Extensions.Consent UI Event
-This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
+This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
The following fields are available:
@@ -198,7 +198,7 @@ The following fields are available:
- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.Enabled** Is the adverising ID enabled for the device?
- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
@@ -332,7 +332,7 @@ The following fields are available:
- **HasCitData** Is the file present in CIT data?
- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
- **IsAv** Is the file an anti-virus reporting EXE?
-- **ResolveAttempted** This will always be an empty string when sending telemetry.
+- **ResolveAttempted** This will always be an empty string when sending diagnostic data.
- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
@@ -1032,7 +1032,7 @@ The following fields are available:
- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
- **Time** The client time of the event.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
@@ -1354,35 +1354,35 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
-A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
The following fields are available:
- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
- **Time** The client time of the event.
-- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
+- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
-- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current diagnostic data run.
- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
-- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
-- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **EnterpriseRun** Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
- **AuxFinal** Obsolete, always set to false
- **StoreHandleIsNotNull** Obsolete, always set to false
- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
-- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **TelementrySent** Indicates if telemetry was successfully sent.
+- **TelementrySent** Indicates if diagnostic data was successfully sent.
- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
-- **RunResult** The hresult of the Appraiser telemetry run.
+- **RunResult** The hresult of the Appraiser diagnostic data run.
### Microsoft.Windows.Appraiser.General.WmdrmAdd
@@ -1502,14 +1502,14 @@ The following fields are available:
- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
-- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **DeviceSampleRate** The diagnostic data sample rate assigned to the device.
- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
- **SSRK** Retrieves the mobile targeting settings.
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
The following fields are available:
@@ -1532,8 +1532,8 @@ The following fields are available:
- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
- **StudyID** Used to identify retail and non-retail device.
-- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
-- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TelemetryLevel** The diagnostic data level the user has opted into, such as Basic or Enhanced.
+- **TelemetrySettingAuthority** Determines who set the diagnostic data level, such as GP, MDM, or the user.
- **DeviceForm** Indicates the form as per the device classification.
- **DigitizerSupport** Is a digitizer supported?
- **OEMModelBaseBoard** The baseboard model used by the OEM.
@@ -1545,7 +1545,7 @@ The following fields are available:
- **Gyroscope** Indicates whether the device has a gyroscope.
- **Magnetometer** Indicates whether the device has a magnetometer.
- **NFCProximity** Indicates whether the device supports NFC.
-- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions.
+- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
### Census.Memory
@@ -1784,45 +1784,45 @@ This event provides information on about security settings used to help keep Win
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of telemetry opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
The following fields are available:
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
### TelClientSynthetic.AuthorizationInfo_Startup
-This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
The following fields are available:
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data client was last started.
### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experiences and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
The following fields are available:
@@ -1838,13 +1838,13 @@ The following fields are available:
### TelClientSynthetic.HeartBeat_5
-This event sends data about the health and quality of the telemetry data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+This event sends data about the health and quality of the diagnostic data data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
The following fields are available:
- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events.
-- **EtwDroppedCount** The number of events dropped by the ETW layer of the telemetry client.
-- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the telemetry client.
+- **EtwDroppedCount** The number of events dropped by the ETW layer of the diagnostic data client.
+- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the diagnostic data client.
- **DecodingDroppedCount** The number of events dropped because of decoding failures.
- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
- **DbDroppedCount** The number of events that were dropped because the database was full.
@@ -1852,10 +1852,10 @@ The following fields are available:
- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
-- **UploaderDroppedCount** The number of events dropped by the uploader layer of the telemetry client.
+- **UploaderDroppedCount** The number of events dropped by the uploader layer of the diagnostic data client.
- **InvalidHttpCodeCount** The number of invalid HTTP codes received from Vortex.
- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex.
-- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component.
+- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component.
- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size.
- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
@@ -1957,7 +1957,7 @@ The following fields are available:
- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
-- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
- **TargetAppId** The kernel reported AppId of the application being reported.
- **TargetAppVer** The specific version of the application being reported
- **TargetAsId** The sequence number for the hanging process.
@@ -1982,7 +1982,7 @@ The following fields are available:
- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
-- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
- **PackageFullName** Store application identity.
- **AppVersion** The version of the app that has hung.
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
index ff3b7964cd..7db5063374 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
@@ -1,7 +1,7 @@
---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
-keywords: privacy, telemetry
+keywords: privacy, diagnostic data
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -32,7 +32,7 @@ You can learn more about Windows functional and diagnostic data through these ar
- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-- [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
@@ -106,7 +106,7 @@ The following fields are available:
- **osVer** Represents the OS version, and its format is OS dependent.
- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
### Common Data Extensions.OS
@@ -148,7 +148,7 @@ The following fields are available:
### Common Data Extensions.Consent UI Event
-This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
+This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
The following fields are available:
@@ -262,39 +262,39 @@ The following fields are available:
- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **Time** The client time of the event.
### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
-A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
The following fields are available:
- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
-- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
- **AuxFinal** Obsolete, always set to false
- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **EnterpriseRun** Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
-- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult** The hresult of the Appraiser telemetry run.
-- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **RunResult** The hresult of the Appraiser diagnostic data run.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current diagnostic data run.
- **StoreHandleIsNotNull** Obsolete, always set to false
-- **TelementrySent** Indicates if telemetry was successfully sent.
-- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **TelementrySent** Indicates if diagnostic data was successfully sent.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
- **Time** The client time of the event.
- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
@@ -1461,7 +1461,7 @@ This event sends Windows Insider data from customers participating in improvemen
The following fields are available:
-- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **DeviceSampleRate** The diagnostic data sample rate assigned to the device.
- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
- **FlightIds** A list of the different Windows Insider builds on this device.
- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
@@ -1472,7 +1472,7 @@ The following fields are available:
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
The following fields are available:
@@ -1504,9 +1504,9 @@ The following fields are available:
- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
- **SoCName** The firmware manufacturer of the device.
- **StudyID** Used to identify retail and non-retail device.
-- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
-- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions.
-- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TelemetryLevel** The diagnostic data level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority** Determines who set the diagnostic data level, such as GP, MDM, or the user.
- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
@@ -1563,7 +1563,7 @@ The following fields are available:
- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
- **LanguagePacks** The list of language packages installed on the device.
-- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the Microsoft Store.
- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
- **OSEdition** Retrieves the version of the current OS.
- **OSInstallDateTime** Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
@@ -1729,45 +1729,45 @@ This event provides information on about security settings used to help keep Win
### TelClientSynthetic.AuthorizationInfo_Startup
-This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
The following fields are available:
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data client was last started.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of telemetry opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
The following fields are available:
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed.
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
The following fields are available:
@@ -1783,7 +1783,7 @@ The following fields are available:
### TelClientSynthetic.HeartBeat_5
-This event sends data about the health and quality of the telemetry data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+This event sends data about the health and quality of the diagnostic data data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
The following fields are available:
@@ -1791,7 +1791,7 @@ The following fields are available:
- **CensusExitCode** The last exit code of the Census task.
- **CensusStartTime** The time of the last Census run.
- **CensusTaskEnabled** Indicates whether Census is enabled.
-- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the telemetry client.
+- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the diagnostic data client.
- **CriticalDataDbDroppedCount** The number of critical data sampled events that were dropped at the database layer.
- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
@@ -1800,7 +1800,7 @@ The following fields are available:
- **DecodingDroppedCount** The number of events dropped because of decoding failures.
- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
- **EtwDroppedBufferCount** The number of buffers dropped in the CUET ETW session.
-- **EtwDroppedCount** The number of events dropped by the ETW layer of the telemetry client.
+- **EtwDroppedCount** The number of events dropped by the ETW layer of the diagnostic data client.
- **EventSubStoreResetCounter** The number of times the event database was reset.
- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
- **EventsUploaded** The number of events that have been uploaded.
@@ -1817,7 +1817,7 @@ The following fields are available:
- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
-- **UploaderDroppedCount** The number of events dropped by the uploader layer of the telemetry client.
+- **UploaderDroppedCount** The number of events dropped by the uploader layer of the diagnostic data client.
- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
- **VortexHttpAttempts** The number of attempts to contact the Vortex service.
- **VortexHttpFailures4xx** The number of 400-499 error codes received from Vortex.
@@ -1888,7 +1888,7 @@ The following fields are available:
The following fields are available:
- **AppName** The name of the app that has crashed.
-- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
- **AppTimeStamp** The date/time stamp of the app.
- **AppVersion** The version of the app that has crashed.
- **ExceptionCode** The exception code returned by the process that has crashed.
@@ -1938,7 +1938,7 @@ This event sends data about hangs for both native and managed applications, to h
The following fields are available:
- **AppName** The name of the app that has hung.
-- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
- **AppVersion** The version of the app that has hung.
- **PackageFullName** Store application identity.
- **PackageRelativeAppId** Store application identity.
@@ -3185,7 +3185,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
-This event indicates that Javascript is reporting a schema and a set of values for critical telemetry
+This event indicates that Javascript is reporting a schema and a set of values for critical diagnostic data.
The following fields are available:
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 26d0466e4a..a12a531608 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
-ms.date: 01/02/2018
+ms.date: 01/31/2018
---
# Change history for Configure Windows 10
@@ -19,8 +19,15 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
New or changed topic | Description
--- | ---
+[Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Added videos demonstrating how to use Microsoft Intune and how to use provisioning packages to configure multi-app kiosks.
[ConnectivityProfiles](wcd/wcd-connectivityprofiles.md) | Added settings for VPN **Native** and **Third Party** profile types.
[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) | Clarified that the TopMFUApps elements in layoutmodification.xml are not supported in Windows 10, version 1709.
+| [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) | New topic |
+[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Added section for removing default apps from the taskbar.
+[Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md) | New topic for Windows 10, version 1709 that explains the purpose for connections to Microsoft services and how to manage them.
+[Configure Windows Spotlight on the lock screen](windows-spotlight.md) | Added section for resolution of custom lock screen images.
+[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Added section for automatic sign-in after restart on unmanaged devices.
+
## November 2017
@@ -43,7 +50,7 @@ The topics in this library have been updated for Windows 10, version 1709 (also
- [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
- [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
-- [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-telemetry-windows-analytics-events-and-fields.md)
+- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
## September 2017
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 04acdd51b3..eb38b5217a 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 01/18/2018
---
# Configure Windows 10 taskbar
@@ -32,10 +32,11 @@ The following example shows how apps will be pinned: Windows default apps to the
## Configure taskbar (general)
-To configure the taskbar:
+**To configure the taskbar:**
+
1. Create the XML file.
- * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from the following sample to the file.
- * If you are only configuring the taskbar, use the following sample to create a layout modification XML file.
+ * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file.
+ * If you are only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file.
2. Edit and save the XML file. You can use [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path to identify the apps to pin to the taskbar.
* Use `` and [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) to pin Universal Windows Platform apps.
* Use `` and Desktop Application Link Path to pin desktop applications.
@@ -176,6 +177,30 @@ If you only want to remove some of the default pinned apps, you would use this m
+## Remove default apps
+
+By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps.
+
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+```
+
## Configure taskbar by country or region
The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there is no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions.
@@ -300,5 +325,3 @@ The resulting taskbar for computers in any other country region:
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=configure-windows-10-taskbar.md).
diff --git a/windows/configuration/configure-windows-telemetry-in-your-organization.md b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
similarity index 55%
rename from windows/configuration/configure-windows-telemetry-in-your-organization.md
rename to windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
index 139c9101f1..6a85eb7c57 100644
--- a/windows/configuration/configure-windows-telemetry-in-your-organization.md
+++ b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
@@ -1,6 +1,6 @@
---
-description: Use this article to make informed decisions about how you can configure telemetry in your organization.
-title: Configure Windows telemetry in your organization (Windows 10)
+description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
+title: Configure Windows diagnostic data in your organization (Windows 10)
keywords: privacy
ms.prod: w10
ms.mktglfcycl: manage
@@ -11,7 +11,7 @@ author: brianlic-msft
ms.date: 10/17/2017
---
-# Configure Windows telemetry in your organization
+# Configure Windows diagnostic data in your organization
**Applies to**
@@ -19,56 +19,54 @@ ms.date: 10/17/2017
- Windows 10 Mobile
- Windows Server
-At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how.
+At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
-To frame a discussion about telemetry, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows telemetry system in the following ways:
+To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
-- **Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools.
-- **Transparency.** We provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions.
-- **Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers.
+- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
+- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
+- **Security.** We encrypt diagnostic data in transit from your device and protect that data at our secure data centers.
- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
-- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting.
-- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
+- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
+- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
-This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
+This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
-Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
+Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=configure-windows-telemetry-in-your-organization.md).
-
## Overview
-In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM.
+In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
-## Understanding Windows telemetry
+## Understanding Windows diagnostic data
Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
-The release cadence of Windows may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts.
+The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
-### What is Windows telemetry?
-Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
+### What is Windows diagnostic data?
+Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
- Keep Windows up to date
- Keep Windows secure, reliable, and performant
- Improve Windows – through the aggregate analysis of the use of Windows
- Personalize Windows engagement surfaces
-Here are some specific examples of Windows telemetry data:
+Here are some specific examples of Windows diagnostic data data:
- Type of hardware being used
- Applications installed and usage details
- Reliability information on device drivers
-### What is NOT telemetry?
+### What is NOT diagnostic data?
-Telemetry can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a user’s location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the user’s request.
+Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request.
-There are subtle differences between telemetry and functional data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
+There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
@@ -78,26 +76,26 @@ The following are specific examples of functional data:
- Bing searches
- Wallpaper and desktop settings synced across multiple devices
-### Telemetry gives users a voice
+### Diagnostic data gives users a voice
-Windows and Windows Server telemetry gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
+Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
### Drive higher app and driver quality
-Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
+Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
-#### Real-world example of how Windows telemetry helps
-There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+#### Real-world example of how Windows diagnostic data helps
+There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### Improve end-user productivity
-Windows telemetry also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
+Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
-- **Cortana.** We use telemetry to monitor the scalability of our cloud service, improving search performance.
-- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later telemetry showed significantly higher usage of this feature.
+- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
+- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
-**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
+**These examples show how the use of diagnostic data data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
### Insights into your own organization
@@ -110,7 +108,7 @@ Upgrading to new operating system versions has traditionally been a challenging,
To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
-With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Readiness to get:
@@ -124,50 +122,50 @@ Use Upgrade Readiness to get:
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-## How is telemetry data handled by Microsoft?
+## How is diagnostic data data handled by Microsoft?
### Data collection
-Windows 10 and Windows Server 2016 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
-3. You can configure the telemetry level by using MDM policy, Group Policy, or registry settings.
-4. The Connected User Experience and Telemetry component transmits the telemetry data.
+3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
+4. The Connected User Experiences and Telemetry component transmits the diagnostic data data.
-Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
+Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
### Data transmission
-All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
+All diagnostic data data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
### Endpoints
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
-The following table defines the endpoints for telemetry services:
+The following table defines the endpoints for diagnostic data services:
| Service | Endpoint |
| - | - |
-| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com |
+| Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
### Data use and access
-The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+The principle of least privileged access guides access to diagnostic data data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
-## Telemetry levels
-This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
+## Diagnostic data levels
+This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
-The telemetry data is categorized into four levels:
+The diagnostic data data is categorized into four levels:
-- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level.
@@ -177,20 +175,20 @@ The telemetry data is categorized into four levels:
The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016.
-
+
### Security level
-The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
+The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
-Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
+Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data data about Windows Server features or System Center gathered.
The data gathered at this level includes:
-- **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+- **Connected User Experiences and Telemetry component settings**. If general diagnostic data data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
@@ -204,15 +202,15 @@ The data gathered at this level includes:
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
-For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
+For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
-No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
+No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
### Basic level
-The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
-The normal upload range for the Basic telemetry level is between 109 KB - 159 KB per day, per device.
+The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
The data gathered at this level includes:
@@ -234,7 +232,7 @@ The data gathered at this level includes:
- Storage attributes, such as number of drives, type, and size
-- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
+- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
@@ -261,7 +259,7 @@ The Enhanced level gathers data about how Windows and apps are used and how they
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
-The normal upload range for the Enhanced telemetry level is between 239 KB - 348 KB per day, per device.
+The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
The data gathered at this level includes:
@@ -273,14 +271,14 @@ The data gathered at this level includes:
- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
-If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
+If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics
Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
-- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/eventname) topic.
+- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/eventname) topic.
- **Some crash dump types.** All crash dump types, except for heap and full dumps.
@@ -310,7 +308,7 @@ The **Full** level gathers data necessary to identify and to help fix problems,
Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
-If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem.
+If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
@@ -322,27 +320,27 @@ However, before more data is gathered, Microsoft’s privacy governance team, in
## Enterprise management
-Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option.
+Sharing diagnostic data data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
-Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
+Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
-IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users’ choices. The remainder of this section describes how to do that.
+IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy overrides users’ choices. The remainder of this section describes how to do that.
-### Manage your telemetry settings
+### Manage your diagnostic data settings
-We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
+We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
> [!IMPORTANT]
-> These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
-You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
+You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on.
-The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 is **Enhanced**.
+The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**.
-### Configure the operating system telemetry level
+### Configure the operating system diagnostic data level
-You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device level settings.
+You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy overrides any device level settings.
Use the appropriate value in the table below when you configure the management policy.
@@ -354,9 +352,9 @@ Use the appropriate value in the table below when you configure the management p
| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
-### Use Group Policy to set the telemetry level
+### Use Group Policy to set the diagnostic data level
-Use a Group Policy object to set your organization’s telemetry level.
+Use a Group Policy object to set your organization’s diagnostic data level.
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
@@ -364,11 +362,11 @@ Use a Group Policy object to set your organization’s telemetry level.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
-### Use MDM to set the telemetry level
+### Use MDM to set the diagnostic data level
Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
-### Use Registry Editor to set the telemetry level
+### Use Registry Editor to set the diagnostic data level
Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
@@ -382,25 +380,25 @@ Use Registry Editor to manually set the registry level on each device in your or
5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
-### Configure System Center 2016 telemetry
+### Configure System Center 2016 diagnostic data
-For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps:
+For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps:
-- Turn off telemetry by using the System Center UI Console settings workspace.
+- Turn off diagnostic data by using the System Center UI Console settings workspace.
-- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
+- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
-### Additional telemetry controls
+### Additional diagnostic data controls
-There are a few more settings that you can turn off that may send telemetry information:
+There are a few more settings that you can turn off that may send diagnostic data information:
-- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
-- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
+- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
> [!NOTE]
> Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
@@ -435,4 +433,4 @@ Web Pages
- [Privacy at Microsoft](http://privacy.microsoft.com)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 674c697959..7d84bee306 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -82,7 +82,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
## Export the Start layout
-When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
+When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
>[!IMPORTANT]
>If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
@@ -97,7 +97,7 @@ When you have the Start layout that you want your users to see, use the [Export-
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
- Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
+ Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
Example of a layout file produced by `Export-StartLayout`:
@@ -171,7 +171,6 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=customize-and-export-start-layout.md).
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 842dd88805..41f82753c8 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -44,7 +44,7 @@ The GPO can be configured from any computer on which the necessary ADMX and ADML
Three features enable Start and taskbar layout control:
-- The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
+- The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
>[!NOTE]
>To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
@@ -130,7 +130,6 @@ After you use Group Policy to apply a customized Start and taskbar layout on a c
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=customize-windows-10-start-screens-by-using-group-policy.md).
diff --git a/windows/configuration/diagnostic-data-viewer-overview.md b/windows/configuration/diagnostic-data-viewer-overview.md
new file mode 100644
index 0000000000..fe1598c59f
--- /dev/null
+++ b/windows/configuration/diagnostic-data-viewer-overview.md
@@ -0,0 +1,104 @@
+---
+title: Diagnostic Data Viewer Overview (Windows 10)
+description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device.
+keywords: privacy
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 01/17/2018
+---
+
+# Diagnostic Data Viewer Overview
+
+**Applies to**
+
+- Windows 10, Windows Insider Preview
+
+[This information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+## Introduction
+The Diagnostic Data Viewer is a Windows app that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
+
+## Install and Use the Diagnostic Data Viewer
+You must turn on data viewing and download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data.
+
+### Turn on data viewing
+Before you can use this tool, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device.
+
+**To turn on data viewing**
+1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
+
+2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
+
+ 
+
+### Download the Diagnostic Data Viewer
+Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
+
+### Start the Diagnostic Data Viewer
+You must start this app from the **Settings** panel.
+
+**To start the Diagnostic Data Viewer**
+1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
+
+2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
+
+ 
-OR-
+
+ Go to **Start** and search for _Diagnostic Data Viewer_.
+
+3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data.
+
+ >[!Important]
+ >Turning on data viewing can use up to 1GB of disk space on your system drive. We strongly recommend that your turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article.
+
+### Use the Diagnostic Data Viewer
+The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data.
+
+- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.
+
+ Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
+
+- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
+
+ Selecting an event opens the detailed JSON view, with the matching text highlighted.
+
+- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft.
+
+ Selecting a check box lets you filter between the diagnostic event categories.
+
+- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
+
+ To signify your contribution, you’ll see this icon () if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon ().
+
+- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
+
+ Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**.
+
+ >[!Important]
+ >All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments.
+
+## Turn off data viewing
+When you're done reviewing your diagnostic data, you should turn of data viewing.
+
+**To turn off data viewing**
+1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
+
+2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
+
+ 
+
+## View additional diagnostic data in the View problem reports tool
+You can review additional Windows Error Reporting diagnostic data in the **View problem reports** tool. This tool provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
+
+**To view your Windows Error Reporting diagnostic data**
+1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.
-OR-
+ Go to **Start** and search for _Problem Reports_.
+
+ The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
+
+ 
diff --git a/windows/configuration/enhanced-telemetry-windows-analytics-events-and-fields.md b/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
similarity index 94%
rename from windows/configuration/enhanced-telemetry-windows-analytics-events-and-fields.md
rename to windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index 4463ec973b..385988b6d3 100644
--- a/windows/configuration/enhanced-telemetry-windows-analytics-events-and-fields.md
+++ b/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -1,7 +1,7 @@
---
-description: Use this article to learn more about the enhanced telemetry events used by Windows Analytics
+description: Use this article to learn more about the enhanced diagnostic data events used by Windows Analytics
title: Windows 10, version 1709 enhanced telemtry events and fields used by Windows Analytics (Windows 10)
-keywords: privacy, telemetry
+keywords: privacy, diagnostic data
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -13,15 +13,15 @@ ms.author: jaimeo
---
-# Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics
+# Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics
**Applies to**
- Windows 10, version 1709 and later
-Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS telemetry events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced.
+Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS diagnostic data events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced.
-In Windows 10, version 1709, we introduce a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system telemetry events included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+In Windows 10, version 1709, we introduce a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
## KernelProcess.AppStateChangeSummary
diff --git a/windows/configuration/gdpr-win10-whitepaper.md b/windows/configuration/gdpr-win10-whitepaper.md
index 434bb0239b..c7dd56e8df 100644
--- a/windows/configuration/gdpr-win10-whitepaper.md
+++ b/windows/configuration/gdpr-win10-whitepaper.md
@@ -179,7 +179,7 @@ The GDPR includes explicit requirements for breach notification where a personal
As noted in the Windows Security Center white paper, [Post Breach: Dealing with Advanced Threats](http://wincom.blob.core.windows.net/documents/Post_Breach_Dealing_with_Advanced_Threats_Whitepaper.pdf), “_Unlike pre-breach, post-breach assumes a breach has already occurred – acting as a flight recorder and Crime Scene Investigator (CSI). Post-breach provides security teams the information and toolset needed to identify, investigate, and respond to attacks that otherwise will stay undetected and below the radar._”
-#### Insightful security telemetry
+#### Insightful security diagnostic data
For nearly two decades, Microsoft has been turning threats into useful intelligence that can help fortify our platform and protect customers. Today, with the immense computing advantages afforded by the cloud, we are finding new ways to use our rich analytics engines driven by threat intelligence to protect our customers.
By applying a combination of automated and manual processes, machine learning and human experts, we can create an Intelligent Security Graph that learns from itself and evolves in real-time, reducing our collective time to detect and respond to new incidents across our products.
diff --git a/windows/configuration/images/auto-signin.png b/windows/configuration/images/auto-signin.png
new file mode 100644
index 0000000000..260376199e
Binary files /dev/null and b/windows/configuration/images/auto-signin.png differ
diff --git a/windows/configuration/images/ddv-data-viewing.png b/windows/configuration/images/ddv-data-viewing.png
new file mode 100644
index 0000000000..88f45acf3b
Binary files /dev/null and b/windows/configuration/images/ddv-data-viewing.png differ
diff --git a/windows/configuration/images/ddv-device-sample.png b/windows/configuration/images/ddv-device-sample.png
new file mode 100644
index 0000000000..8bb5d968e1
Binary files /dev/null and b/windows/configuration/images/ddv-device-sample.png differ
diff --git a/windows/configuration/images/ddv-event-sample.png b/windows/configuration/images/ddv-event-sample.png
new file mode 100644
index 0000000000..2674f139dd
Binary files /dev/null and b/windows/configuration/images/ddv-event-sample.png differ
diff --git a/windows/configuration/images/ddv-problem-reports-screen.png b/windows/configuration/images/ddv-problem-reports-screen.png
new file mode 100644
index 0000000000..d991f4c7d8
Binary files /dev/null and b/windows/configuration/images/ddv-problem-reports-screen.png differ
diff --git a/windows/configuration/images/ddv-settings-launch.png b/windows/configuration/images/ddv-settings-launch.png
new file mode 100644
index 0000000000..4d4e26c382
Binary files /dev/null and b/windows/configuration/images/ddv-settings-launch.png differ
diff --git a/windows/configuration/images/ddv-settings-off.png b/windows/configuration/images/ddv-settings-off.png
new file mode 100644
index 0000000000..12704b5e28
Binary files /dev/null and b/windows/configuration/images/ddv-settings-off.png differ
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index f41df7288e..e38d95e4ca 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -19,11 +19,12 @@ Enterprises often need to apply custom configurations to devices for their users
| Topic | Description |
| --- | --- |
-| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
+| [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. |
+|[Diagnostic Data Viewer overview](diagnostic-data-viewer-overview.md) |Learn about the categories of diagnostic data your device is sending to Microsoft, along with how it's being used.|
| [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1709. |
-|[Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-telemetry-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.|
+|[Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.|
| [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
-| [Windows 10 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703 and later. |
+| [Windows 10 diagnostic data for the Full diagnostic data level](windows-diagnostic-data-1703.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703 and later. |
|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|Learn about Windows 10 and the upcoming GDPR-compliance requirements.|
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 06e04ade22..ea121c6820 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
-ms.date: 10/30/2017
+ms.date: 01/31/2018
ms.author: jdecker
---
@@ -20,7 +20,11 @@ ms.author: jdecker
- Windows 10
-A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package.
+A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using Microsoft Intune or a provisioning package.
+
+Watch how to use Intune to configure a multi-app kiosk.
+
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false]
>[!NOTE]
>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
@@ -36,6 +40,10 @@ Process:
2. [Add XML file to provisioning package](#add-xml)
3. [Apply provisioning package to device](#apply-ppkg)
+Watch how to use a provisioning package to configure a multi-app kiosk.
+
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
+
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge).
## Prerequisites
@@ -44,6 +52,7 @@ If you don't want to use a provisioning package, you can deploy the configuratio
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709
+
## Create XML file
Let's start by looking at the basic structure of the XML file.
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 64f38bbf58..a34a6aa5a7 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
ms.author: brianlic-msft
-ms.date: 11/30/2017
+ms.date: 01/29/2018
---
# Manage connections from Windows operating system components to Microsoft services
@@ -19,20 +19,18 @@ ms.date: 11/30/2017
- Windows 10
- Windows Server 2016
-If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+You can configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
-
## What's new in Windows 10, version 1709
Here's a list of changes that were made to this article for Windows 10, version 1709:
@@ -68,10 +66,10 @@ Here's a list of changes that were made to this article for Windows 10, version
- Accounts: Block Microsoft Accounts
- Do not use diagnostic data for tailored experiences
-## Settings
+## Management options for each setting
-The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections.
+The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
@@ -184,7 +182,7 @@ See the following table for a summary of the management settings for Windows Ser
| [21. Teredo](#bkmk-teredo) | |  |
| [28. Windows Update](#bkmk-wu) |  | |
-## Settings
+## How to configure each setting
Use the following sections for more information about how to configure each setting.
@@ -364,7 +362,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
> [!NOTE]
-> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the telemetry level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
+> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
To turn off Insider Preview builds for a released version of Windows 10:
@@ -524,6 +522,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Allow configuration updates for the Books Library | Choose whether configuration updates are done for the Books Library. Default: Not configured |
| Configure Autofill | Choose whether employees can use autofill on websites. Default: Enabled |
| Configure Do Not Track | Choose whether employees can send Do Not Track headers. Default: Disabled |
| Configure Password Manager | Choose whether employees can save passwords locally on their devices. Default: Enabled |
@@ -550,7 +549,8 @@ Alternatively, you can configure the Microsoft Group Policies using the followin
| Policy | Registry path |
| - | - |
-| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest REG_SZ: **no** |
+| Allow configuration updates for the Books Library | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary!AllowConfigurationUpdateForBooksLibrary REG_DWORD: **0** |
+| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest REG_SZ: **no** |
| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack REG_DWORD: 1 |
| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords REG_SZ: **no** |
| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!ShowSearchSuggestionsGlobal REG_DWORD: 0|
@@ -886,7 +886,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
> [!NOTE]
-> If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+> If the diagnostic data level is set to either **Basic** or **Security**, this is turned off automatically.
@@ -1725,7 +1725,7 @@ For Windows 10 only, you can stop Enhanced Notifications:
- Turn off the feature in the UI.
-You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
+You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
### 24. Windows Media Player
@@ -1802,7 +1802,10 @@ For more info, see [Windows Spotlight on the lock screen](windows-spotlight.md).
### 26. Microsoft Store
-You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Microsoft Store will be disabled. On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
+You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded.
+This will also turn off automatic app updates, and the Microsoft Store will be disabled.
+In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**.
+On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**.
diff --git a/windows/configuration/manage-windows-endpoints-version-1709.md b/windows/configuration/manage-windows-endpoints-version-1709.md
new file mode 100644
index 0000000000..1c52da910b
--- /dev/null
+++ b/windows/configuration/manage-windows-endpoints-version-1709.md
@@ -0,0 +1,762 @@
+---
+title: Windows 10 connection endpoints
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic-msft
+ms.date: 11/21/2017
+---
+# Manage Windows 10 connection endpoints
+
+**Applies to**
+
+- Windows 10, version 1709
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
+
+This article lists different endpoints that are available on a clean installation of Windows 10 Enterprise, version 1709.
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it.
+
+We used the following methodology to derive these network endpoints:
+
+1. Set up Windows 10 Enterprise, version 1709 test virtual machine using the default settings.
+2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Apps
+
+The following endpoint is used to download updates to the Weather app Live Tile.
+If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| explorer | HTTP | tile-service.weather.microsoft.com/en-US/livetile/preinstall?region=US&appid=C98EA5B0842DBB9405BBF071E1DA76512D21FE36&FORM=Threshold |
+
+The following endpoint is used for OneNote Live Tile.
+To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
+
+The following endpoints are used for Twitter updates.
+To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | wildcard.twimg.com |
+| svchost.exe | | oem.twimg.com/windows/tile.xml |
+
+The following endpoint is used for Facebook updates.
+To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | star-mini.c10r.facebook.com |
+
+The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online.
+To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
+
+The following endpoint is used for Candy Crush Saga updates.
+To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | TLS v1.2 | candycrushsoda.king.com |
+
+The following endpoint is used for by the Microsoft Wallet app.
+To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+If you disable the Microsoft store, other Store apps cannot be installed or updated.
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
+
+The following endpoint is used by the Groove Music app for update HTTP handler status.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
+
+## Cortana and Search
+
+The following endpoint is used to get images that are used for Microsoft Store suggestions.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui | HTTPS | store-images.s-microsoft.com/image/apps.32524.9007199266244048.fc51fce8-175a-4525-b569-14d91f7779c3.0a720951-38e4-4e81-9804-03f833ab1d2e?format=source |
+
+The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | www.bing.com/client/config?cc=US&setlang=en-US |
+
+The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | www.bing.com/proactive/v2/spark?cc=US&setlang=en-US |
+
+The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
+
+## Certificates
+
+The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP | ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1ba0e83cae791f0d |
+
+The following endpoints are used to download certificates that are publicly known to be fraudulent.
+These settings are critical for both Windows security and the overall security of the Internet.
+We do not recommend blocking this endpoint.
+If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP | ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?03376e5589b4a188 |
+
+## Device authentication
+
+The following endpoint is used to authenticate a device.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | login.live.com/ppsecure/deviceaddcredential.srf |
+
+## Device metadata
+
+The following endpoint is used to retrieve device metadata.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | dmd.metaservices.microsoft.com.akadns.net |
+
+## Diagnostic Data
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
+
+The following endpoints are used by Windows Error Reporting.
+To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| wermgr | | watson.telemetry.microsoft.com/Telemetry.Request |
+| |TLS v1.2 |modern.watson.data.microsoft.com.akadns.net|
+
+## Font streaming
+
+The following endpoints are used to download fonts on demand.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | fs.microsoft.com |
+| | | fs.microsoft.com/fs/windows/config.json |
+
+## Licensing
+
+The following endpoint is used for online activation and some app licensing.
+To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
+
+## Location
+
+The following endpoint is used for location data.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | location-inference-westus.cloudapp.net |
+
+## Maps
+
+The following endpoint is used to check for updates to maps that have been downloaded for offline use.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | *g.akamaiedge.net |
+
+## Microsoft account
+
+The following endpoints are used for Microsoft accounts to sign in.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | login.msa.akadns6.net |
+| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
+
+## Microsoft Store
+
+The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | *.wns.windows.com |
+
+The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
+To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | storecatalogrevocation.storequality.microsoft.com/applications/revoked.json/ |
+
+The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1ARmA?ver=e6f4 |
+| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWbW71?ver=c090 |
+
+The following endpoints are used to communicate with Microsoft Store.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | storeedgefd.dsx.mp.microsoft.com |
+| | HTTP | pti.store.microsoft.com |
+||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
+
+## Network Connection Status Indicator (NCSI)
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | www.msftconnecttest.com/connecttest.txt |
+
+## Office
+
+The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | *.a-msedge.net |
+| hxstr | | *.c-msedge.net |
+| | | *.e-msedge.net |
+| | | *.s-msedge.net |
+
+The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for this endpoint, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| hxstr | | *.c-msedge.net |
+
+The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
+
+The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+ently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
+
+## OneDrive
+
+The following endpoint is a redirection service that’s used to automatically update URLs.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTP | g.live.com/1rewlive5skydrive/ODSUProduction |
+
+
+The following endpoint is a redirection service that’s used to automatically update URLs.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTPS | g.live.com/1rewlive5skydrive/OneDriveProduction?OneDriveUpdate=1303f1898483a527eab1d8f57af6 |
+
+The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
+To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTPS | oneclient.sfx.ms/PreSignInSettings/Prod/PreSignInSettingsConfig.json?OneDriveUpdate=3253474af747a19de2a72deb9a75 |
+
+## Settings
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient | HTTPS | settings.data.microsoft.com |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | settings-win.data.microsoft.com |
+
+## Skype
+
+The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
+
+
+
+## Windows Defender
+
+The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | wdcp.microsoft.com |
+
+The following endpoints are used for Windows Defender definition updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | definitionupdates.microsoft.com |
+|MpCmdRun.exe|HTTPS|go.microsoft.com|
+
+## Windows Insider Preview builds
+
+The following endpoint is used to retrieve Windows Insider Preview builds.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-previewbuilds), the device will not be notified about new Windows Insider Preview builds.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTPS | insiderppe.cloudapp.net/windows-app-web-link |
+
+## Windows Spotlight
+
+The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](windows-spotlight.md).
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost | HTTPS | arc.msn.com |
+| backgroundtaskhost | | g.msn.com.nsatc.net |
+| |TLS v1.2| *.search.msn.com |
+| | HTTPS | ris.api.iris.microsoft.com/v1/a/impression?CID=116000000000270658®ion=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=ENTERPRISE&cmdVer=10.0.15063.0&mo=&cap=&EID=&&PID=400051553&UIT=G&TargetID=700090861&AN=275357688&PG=PC000P0FR5.0000000G4I&REQASID=D17E3C737583496F8C4CE6553F7395C5&UNID=202914&ANID=&MUID=&ASID=a81b259b93e2425e801d0bb5a5ec2741&PERSID=&AUID=71FA96C64367722E210169966CE8D919&TIME=20170721T015831Z |
+| | HTTPS | query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWaHxi |
+| | HTTPS | query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWaML4 |
+
+## Windows Update
+
+The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
+
+The following endpoints are used to download operating system patches and updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | au.download.windowsupdate.com |
+| svchost | HTTP | *.windowsupdate.com |
+| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
+
+The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | cds.d2s7q6s2.hwcdn.net |
+
+The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | HTTP | *wac.phicdn.net |
+| | | *wac.edgecastcdn.net |
+
+The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
+
+The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | emdl.ws.microsoft.com/emdl/c/doc/ph/prod1/msdownload/update/software/defu/2017/07/1024/am_base_82267ed19fb382d07106d5f64257fb815c664b31.exe.json |
+
+The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | fe2.update.microsoft.com/v6/ClientWebService/client.asmx |
+| svchost | | fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx |
+| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net (an alias for fe3.delivery.mp.microsoft.com) |
+| svchost | HTTPS | sls.update.microsoft.com |
+
+The following endpoint is used for content regulation.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
+
+The following endpoints are used to download content.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| | | a122.dscd.akamai.net |
+| | | a1621.g.akamai.net |
+
+## Microsoft forward link redirection service (FWLink)
+
+The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
+
+If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Various|HTTPS|go.microsoft.com|
+
+## Endpoints for other Windows editions
+
+In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other editions of Windows 10, version 1709.
+
+## Windows 10 Home
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| *.dscd.akamai.net | HTTP | Used to download content. |
+| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
+| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
+HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
+| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
+| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
+| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
+| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
+HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
+| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
+| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com | HTTPS | Used to authenticate a device. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
+| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
+| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
+| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| ris.api.iris.microsoft.com.akadns.net | TLSv1.2/
+HTTPS | Used to retrieve Windows Spotlight metadata. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2/
+HTTPS | Enables connections to Windows Update. |
+| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
+| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
+| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
+| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
+| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
+| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
+| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
+| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Windows 10 Pro
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.*.akamai.net | HTTP | Used to download content. |
+| *.*.akamaiedge.net | HTTP/
+TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
+HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
+| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
+| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
+| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
+| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
+| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
+HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| fs.microsoft.com | HTTPS | Used to download fonts on demand |
+| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
+| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
+| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com | HTTPS | Used to authenticate a device. |
+| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
+| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
+| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
+| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
+| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
+| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
+| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
+| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Windows 10 Education
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dscd.akamai.net | HTTP | Used to download content. |
+| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dspw65.akamai.net | HTTP | Used to download content. |
+| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamai.net | HTTP | Used to download content. |
+| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
+| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
+| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
+| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
+| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
+| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| g.msn.com.nsatc.net | HTTP/
+TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
+| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com/* | HTTPS | Used to authenticate a device. |
+| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
+| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
+| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
+| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 78b3d5ea88..b595b81972 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -104,7 +104,6 @@ On devices running Windows 10, you can install [the Windows Configuration Design
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=provisioning-install-icd.md).
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index a8769e6edf..2e6a4b5c10 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -138,7 +138,7 @@ This is an example script with logging that shows how to run a powershell script
set LOGFILE=%SystemDrive%\my_powershell_script.log
echo Running my_powershell_script.ps1 in system context >> %LOGFILE%
echo Executing "PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1" >> %LOGFILE%
-PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1' >> %LOGFILE%
+PsExec.exe -accepteula -i -s cmd.exe /c 'powershell.exe my_powershell_script.ps1' >> %LOGFILE%
echo result: %ERRORLEVEL% >> %LOGFILE%
```
@@ -230,4 +230,4 @@ When you are done, [build the package](provisioning-create-package.md#build-pack
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 4ba7847905..0fe1c5b458 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 01/31/2018
---
# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
@@ -37,9 +37,15 @@ To return the device to the regular shell, see [Sign out of assigned access](#si
>[!NOTE]
>A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
-
+## Using a local device as a kiosk
+When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
+
+If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
+
+
## Set up a kiosk using Windows Configuration Designer
@@ -433,6 +439,5 @@ For a more secure kiosk experience, we recommend that you make the following con
- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=set-up-a-kiosk-for-windows-10-for-desktop-editions.md).
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 7db69cb00b..196d95eb81 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -50,7 +50,7 @@ Apps can take advantage of shared PC mode with the following three APIs:
- [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.
- [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.
-- [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle telemetry differently or hide advertising functionality.
+- [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality.
###Customization
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index bd8061516c..c12a8cf0c6 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -68,7 +68,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
```
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
- Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
+ Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 9f54de618d..318293c24d 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -115,7 +115,6 @@ If you're using Microsoft Store for Business and you want employees to only see
[Manage access to private store](/microsoft-store/manage-access-to-private-store)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=stop-employees-from-using-microsoft-store.md).
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index 5c8c80dffc..0073f13e81 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -166,7 +166,7 @@ The **Config** settings are initial settings that can be overwritten when settin
### SystemCapabilities
-You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Telemetry data is generated by the system to provide data that can be used to diagnose both software and hardware issues.
+You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Diagnostic data data is generated by the system to provide data that can be used to diagnose both software and hardware issues.
| Setting | Description |
| --- | --- |
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index d95ae64429..25f5b58fc5 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -372,10 +372,10 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowExperimentation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | |
| [AllowLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X |
| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | X | X |
-| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and useage telemetry data. | X | X | | | |
+| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | | |
| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
-| [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
+| [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
## TextInput
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index 137cf16b49..91e6bc382b 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -60,4 +60,3 @@ Use these settings to configure policies for shared PC mode.
- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=wcd-sharedpc.md).
\ No newline at end of file
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index e7ab4dc5ab..891f928d4d 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -114,7 +114,7 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-start-layout-options-and-policies.md).
+
diff --git a/windows/configuration/windows-diagnostic-data-1703.md b/windows/configuration/windows-diagnostic-data-1703.md
index bb63c4b710..954a8fc5e0 100644
--- a/windows/configuration/windows-diagnostic-data-1703.md
+++ b/windows/configuration/windows-diagnostic-data-1703.md
@@ -1,6 +1,6 @@
---
-title: Windows 10 diagnostic data for the Full telemetry level (Windows 10)
-description: Use this article to learn about the types of data that is collected the the Full telemetry level.
+title: Windows 10 diagnostic data for the Full diagnostic data level (Windows 10)
+description: Use this article to learn about the types of data that is collected the the Full diagnostic data level.
keywords: privacy,Windows 10
ms.prod: w10
ms.mktglfcycl: manage
@@ -11,12 +11,12 @@ ms.author: lizross
ms.date: 04/05/2017
---
-# Windows 10 diagnostic data for the Full telemetry level
+# Windows 10 diagnostic data for the Full diagnostic data level
**Applies to:**
- Windows 10, version 1703 and later
-Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md).
+Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md).
The data covered in this article is grouped into the following categories:
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index 9e0f5260b2..6e1b327c7d 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 01/26/2018
---
# Configure Windows Spotlight on the lock screen
@@ -68,19 +68,29 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
+ >[!TIP]
+ >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image).
+
Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages.
+## Resolution for custom lock screen image
+A concern with custom lock screen images is how they will appear on different screen sizes and resolutions.
+
+A custom lock screen image created in 16:9 aspect ratio (1600x900) will scale properly on devices using a 16:9 resolution, such as 1280x720 or 1920x1080. On devices using other aspect ratios, such as 4:3 (1024x768) or 16:10 (1280x800), height scales correctly and width is cropped to a size equal to the aspect ratio. The image will remain centered on the screen
+
+Lock screen images created at other aspect ratios may scale and center unpredictably on your device when changing aspect ratios.
+
+The recommendation for custom lock screen images that include text (such as a legal statement) is to create the lock screen image in 16:9 resolution with text contained in the 4:3 region, allowing the text to remain visible at any aspect ratio.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-spotlight.md).
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index c5ccc885d1..d306bd8ea5 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -8,6 +8,7 @@
### [Configure VDA for Subscription Activation](vda-subscription-activation.md)
### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md)
## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
+### [Submit Windows 10 upgrade errors](upgrade/submit-errors.md)
## [Deploy Windows 10](deploy.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 50c359dacc..53297d9119 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -646,5 +646,3 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=create-a-windows-10-reference-image.md).
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 01c4df060f..d3ae97f74b 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -653,5 +653,3 @@ Figure 14. The partitions when deploying an UEFI-based machine.
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=deploy-a-windows-10-image-using-mdt.md).
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index 61964bed2a..5a03190d0c 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -93,5 +93,3 @@ The information in this guide is designed to help you deploy Windows 10. In ord
[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
\ No newline at end of file
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 10dc612bdb..2040ebf2d1 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -21,7 +21,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
diff --git a/windows/deployment/images/downlevel.PNG b/windows/deployment/images/downlevel.PNG
new file mode 100644
index 0000000000..dff0ebb02b
Binary files /dev/null and b/windows/deployment/images/downlevel.PNG differ
diff --git a/windows/deployment/images/event.PNG b/windows/deployment/images/event.PNG
new file mode 100644
index 0000000000..3950d795ca
Binary files /dev/null and b/windows/deployment/images/event.PNG differ
diff --git a/windows/deployment/images/feedback.PNG b/windows/deployment/images/feedback.PNG
new file mode 100644
index 0000000000..15e171c4ed
Binary files /dev/null and b/windows/deployment/images/feedback.PNG differ
diff --git a/windows/deployment/images/firstboot.PNG b/windows/deployment/images/firstboot.PNG
new file mode 100644
index 0000000000..dfb798c93c
Binary files /dev/null and b/windows/deployment/images/firstboot.PNG differ
diff --git a/windows/deployment/images/safeos.PNG b/windows/deployment/images/safeos.PNG
new file mode 100644
index 0000000000..88c31087a4
Binary files /dev/null and b/windows/deployment/images/safeos.PNG differ
diff --git a/windows/deployment/images/secondboot.PNG b/windows/deployment/images/secondboot.PNG
new file mode 100644
index 0000000000..670fdce7b0
Binary files /dev/null and b/windows/deployment/images/secondboot.PNG differ
diff --git a/windows/deployment/images/secondboot2.PNG b/windows/deployment/images/secondboot2.PNG
new file mode 100644
index 0000000000..0034737e90
Binary files /dev/null and b/windows/deployment/images/secondboot2.PNG differ
diff --git a/windows/deployment/images/secondboot3.PNG b/windows/deployment/images/secondboot3.PNG
new file mode 100644
index 0000000000..c63ef6939d
Binary files /dev/null and b/windows/deployment/images/secondboot3.PNG differ
diff --git a/windows/deployment/images/share.jpg b/windows/deployment/images/share.jpg
new file mode 100644
index 0000000000..e8365ad34c
Binary files /dev/null and b/windows/deployment/images/share.jpg differ
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
index fe0e5d5f08..f63641d04f 100644
--- a/windows/deployment/index.md
+++ b/windows/deployment/index.md
@@ -32,7 +32,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about media available in the Microsoft Volume Licensing Service Center. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 4334a585c9..1f0ef3d834 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -401,5 +401,3 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=mbr-to-gpt.md).
\ No newline at end of file
diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
index 3d541198b1..a84f82eb0a 100644
--- a/windows/deployment/planning/act-technical-reference.md
+++ b/windows/deployment/planning/act-technical-reference.md
@@ -20,7 +20,7 @@ We've replaced the majority of functionality included in the Application Compati
Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Analytics to get:
- A visual workflow that guides you from pilot to production
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
index 54f3d47f42..175f553534 100644
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@@ -23,17 +23,17 @@ Steps are provided in sections that follow the recommended setup process:
Device Health has the following requirements:
1. Device Health is currently only compatible with Windows 10 and Windows Server 2016 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
-2. The solution requires that at least the [enhanced level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
-3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+2. The solution requires that at least the [enhanced level of diagnostic data](https://technet.microsoft.com/itpro/windows/manage/configure-windows-diagnostic-data-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
+3. The diagnostic data of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](/windows/configuration//configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint:
Service | Endpoint
--- | ---
-Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
+Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
>[!NOTE]
-> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for steps to exclude authentication for these endpoints.
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. See [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) for steps to exclude authentication for these endpoints.
## Add Device Health to Microsoft Operations Management Suite
@@ -79,7 +79,7 @@ After you have added Device Health and devices have a Commercial ID, you will be
>[!NOTE]
>You can unsubscribe from the Device Health solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
-## Deploy your Commercial ID to your Windows 10 devices and set the telemetry level
+## Deploy your Commercial ID to your Windows 10 devices and set the diagnostic data level
In order for your devices to show up in Windows Analytics: Device Health, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
@@ -114,7 +114,7 @@ If you need further information on Windows Error Reporting (WER) settings, see [
Devices must be able to reach the endpoints specified in the "Device Health prerequisites" section of this topic.
>[!NOTE]
-> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3 of the "Device Health prerequisites" section of this topic. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. (If you need more information about telemetry endpoints and how to manage them, see [Configure Windows telemetry in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-telemetry-in-your-organization).
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3 of the "Device Health prerequisites" section of this topic. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. (If you need more information about diagnostic data endpoints and how to manage them, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md
index 2c35b7f05e..078a95742a 100644
--- a/windows/deployment/update/device-health-monitor.md
+++ b/windows/deployment/update/device-health-monitor.md
@@ -19,7 +19,7 @@ Device Health is the newest Windows Analytics solution that complements the exis
Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
-Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced telemetry, so you might need to implement this policy if you've not already done so.
+Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so.
Device Health provides the following:
@@ -27,7 +27,7 @@ Device Health provides the following:
- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced
- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
- Notification of Windows Information Protection misconfigurations that send prompts to end users
-- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 telemetry
+- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 diagnostic data
See the following topics in this guide for detailed information about configuring and using the Device Health solution:
@@ -56,10 +56,10 @@ The Device Health architecture and data flow is summarized by the following five
-**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.
-**(2)** Telemetry data is analyzed by the Microsoft Telemetry Service.
-**(3)** Telemetry data is pushed from the Microsoft Telemetry Service to your OMS workspace.
-**(4)** Telemetry data is available in the Device Health solution.
+**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
+**(2)** Diagnostic data is analyzed by the Microsoft Telemetry Service.
+**(3)** Diagnostic data is pushed from the Microsoft Telemetry Service to your OMS workspace.
+**(4)** Diagnostic data is available in the Device Health solution.
**(5)** You are now able to proactively monitor Device Health issues in your environment.
These steps are illustrated in following diagram:
@@ -67,7 +67,7 @@ These steps are illustrated in following diagram:
[](images/analytics-architecture.png)
>[!NOTE]
->This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
+>This process assumes that Windows diagnostic data is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 54719178d3..a9805be280 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -50,4 +50,3 @@ Windows as a service provides a new way to think about building, deploying, and
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=index.md).
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 9a98859652..354ad86c3d 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -24,19 +24,19 @@ Steps are provided in sections that follow the recommended setup process:
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
-2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
-3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+2. The solution requires that Windows 10 diagnostic data is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of diagnostic data](/configuration/configure-windows-diagnostic-data-in-your-organization#basic-level) enabled. To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
+3. The diagnostic data of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](/configuration/configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint:
Service | Endpoint
--- | ---
- Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
+ Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct.
- For endpoints running Windows 10, version 1607 or earlier, [Windows telemetry must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus.
+ For endpoints running Windows 10, version 1607 or earlier, [Windows diagnostic data must also be set to **Enhanced**](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus.
See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
@@ -74,7 +74,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update
9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
- 
+ 
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 30bf291b67..cc368c6633 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -19,7 +19,7 @@ With Windows 10, organizations need to change the way they approach monitoring a
Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
-Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
+Update Compliance uses the Windows diagnostic data that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance provides the following:
@@ -28,7 +28,7 @@ Update Compliance provides the following:
- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices
- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries
-- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure
+- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
@@ -43,10 +43,10 @@ An overview of the processes used by the Update Compliance solution is provided
The Update Compliance architecture and data flow is summarized by the following five-step process:
-**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.
-**(2)** Telemetry data is analyzed by the Update Compliance Data Service.
-**(3)** Telemetry data is pushed from the Update Compliance Data Service to your OMS workspace.
-**(4)** Telemetry data is available in the Update Compliance solution.
+**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
+**(2)** Diagnostic data is analyzed by the Update Compliance Data Service.
+**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your OMS workspace.
+**(4)** Diagnostic data is available in the Update Compliance solution.
**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.
These steps are illustrated in following diagram:
@@ -54,7 +54,7 @@ These steps are illustrated in following diagram:
>[!NOTE]
->This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
+>This process assumes that Windows diagnostic data is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index c97cf7439d..fe2d443d21 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -16,7 +16,7 @@ In this section you'll learn how to use Update Compliance to monitor your device
Update Compliance:
-- Uses telemetry gathered from user devices to form an all-up view of Windows 10 devices in your organization.
+- Uses diagnostic data gathered from user devices to form an all-up view of Windows 10 devices in your organization.
- Enables you to maintain a high-level perspective on the progress and status of updates across all devices.
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 2fda260e22..b6260dbd6d 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -28,7 +28,7 @@ ms.date: 10/13/2017
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).
>[!IMPORTANT]
->For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level).
+>For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index fac66e5243..ad496df8a2 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -329,4 +329,3 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage device restarts after updates](waas-restart.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=waas-manage-updates-configuration-manager.md).
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 6fb03fe6d8..11d1c8bbbd 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -355,5 +355,3 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=waas-manage-updates-wsus.md).
\ No newline at end of file
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index e0d006761b..e26cc352fc 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -121,7 +121,7 @@ Windows Update for Business was first made available in Windows 10, version 1511
## Monitor Windows Updates using Update Compliance
-Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses telemetry data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
+Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index d694f2ff14..6af7a05dfe 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -51,7 +51,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
>[!NOTE]
->Currently, Express update delivery only applies to quality update downloads.
+>Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
### How Microsoft supports Express
- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 5ee65f0ac5..3452191682 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -45,7 +45,7 @@ One of the biggest challenges for organizations when it comes to deploying a new
Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. With Windows 10, application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously. Microsoft understands the challenges organizations experienced when they migrated from the Windows XP operating system to Windows 7 and has been working to make Windows 10 upgrades a much better experience.
-Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and telemetry data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
+Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com).
@@ -199,5 +199,4 @@ With all these options, which an organization chooses depends on the resources,
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=waas-overview.md).
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
index 96bec400be..bd9b717522 100644
--- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
+++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
@@ -14,7 +14,7 @@ With the release of Upgrade Readiness, enterprises now have the tools to plan an
Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Readiness to get:
@@ -28,11 +28,11 @@ Use Upgrade Readiness to get:
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see:
-- [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization)
+- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
##**Related topics**
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index f67599ce30..16de770ebb 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
-ms.date: 01/11/2018
+ms.date: 01/26/2018
ms.localizationpriority: high
---
@@ -16,17 +16,19 @@ ms.localizationpriority: high
**Applies to**
- Windows 10
->**Important**: This topic contains technical instructions for IT administrators. If you are not an IT administrator, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information.
+>**Important**: This topic contains technical instructions for IT administrators. If you are not an IT administrator, see the following topic: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
## In this topic
This topic contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. The following sections and procedures are provided in this guide:
+- [Troubleshooting upgrade errors](#troubleshooting-upgrade-errors): General advice and techniques for troubleshooting Windows 10 upgrade errors.
- [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.
- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.
- [Upgrade error codes](#upgrade-error-codes): The components of an error code are explained.
- [Result codes](#result-codes): Information about result codes.
- [Extend codes](#extend-codes): Information about extend codes.
+- [Windows Error Reporting](#windows-error-reporting): How to use Event Viewer to review details about a Windows 10 upgrade.
- [Log files](#log-files): A list and description of log files useful for troubleshooting.
- [Log entry structure](#log-entry-structure): The format of a log entry is described.
- [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
@@ -36,19 +38,61 @@ This topic contains a brief introduction to Windows 10 installation processes, a
- [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
- [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
+## Troubleshooting upgrade errors
+
+If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process.
+
+Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase.
+
+These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered.
+
+1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible.
+
+2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software.
+
+ Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues.
+
+ **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information.
+
+ If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware.
+
+ If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption.
+
+3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade.
+
+4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade.
+
+If the general troubleshooting techniques described above or the [quick fixes](#quick-fixes) detailed below do not resolve your issue, you can attempt to analyze [log files](#log-files) and interpret [upgrade error codes](#upgrade-error-codes). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue.
+
## The Windows 10 upgrade process
-The Windows Setup application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. When performing an operating system upgrade, Windows Setup uses the following phases:
+The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings.
-1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Installation components are gathered.
-2. **Safe OS phase**: A recovery partition is configured and updates are installed. An OS rollback is prepared if needed.
- - Example error codes: 0x2000C, 0x20017
-3. **First boot phase**: Initial settings are applied.
- - Example error codes: 0x30018, 0x3000D
-4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**.
- - Example error: 0x4000D, 0x40017
-5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful.
- - Example error: 0x50000
+When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase.
+
+1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered.
+
+ 
+
+2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017.
+
+ 
+
+3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D.
+
+ 
+
+4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017.
+
+ At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed.
+
+ 
+
+ 
+
+ 
+
+5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015.
**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
@@ -58,6 +102,7 @@ DU = Driver/device updates.
OOBE = Out of box experience.
WIM = Windows image (Microsoft)
+
## Quick fixes
The following steps can resolve many Windows upgrade problems.
@@ -69,7 +114,7 @@ The following steps can resolve many Windows upgrade problems.
chkdsk /F
-
Attept to restore and repair system files by typing the following commands at an elevated command prompt. It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
+
Attempt to restore and repair system files by typing the following commands at an elevated command prompt. It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
DISM.exe /Online /Cleanup-image /Restorehealth
sfc /scannow
@@ -92,34 +137,45 @@ The following steps can resolve many Windows upgrade problems.
If the upgrade process is not successful, Windows Setup will return two codes:
-1. **A result code**: The result code corresponds to a specific Win32 error.
-2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.
+1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error.
+2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.
>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned.
+>[!TIP]
+>If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](#windows-error-reporting).
+
### Result codes
>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic.
Result codes can be matched to the type of error encountered. To match a result code to an error:
-1. Identify the error code type, either Win32 or NTSTATUS, using the first hexidecimal digit:
- 8 = Win32 error code (ex: 0x**8**0070070)
- C = NTSTATUS value (ex: 0x**C**1900107)
-2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits correspond to the last 16 bits of the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure.
-3. Based on the type of error code determined in the first step, match the 4 digits derived from the second step to either a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx), or an [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx).
+1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit:
+ **8** = Win32 error code (ex: 0x**8**0070070)
+ **C** = NTSTATUS value (ex: 0x**C**1900107)
+2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error.
+3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links:
+ - [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx)
+ - [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx)
-For example:
-- 0x80070070 = Win32 = 0070 = 0x00000070 = ERROR_DISK_FULL
-- 0xC1900107 = NTSTATUS = 0107 = 0x00000107 = STATUS_SOME_NOT_MAPPED
+Examples:
+- 0x80070070
+ - Based on the "8" this is a Win32 error code
+ - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) table
+ - The error is: **ERROR_DISK_FULL**
+- 0xC1900107
+ - Based on the "C" this is an NTSTATUS error code
+ - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx) table
+ - The error is: **STATUS_SOME_NOT_MAPPED**
Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot.
### Extend codes
->Important: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
+>**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
@@ -193,10 +249,50 @@ The following tables provide the corresponding phase and operation for values of
For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**).
+## Windows Error Reporting
+
+When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell.
+
+To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
+
+```
+$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"}
+$event = [xml]$events[0].ToXml()
+$event.Event.EventData.Data
+```
+
+To use Event Viewer:
+1. Open Event Viewer and navigate to **Windows Logs\Application**.
+2. Click **Find**, and then search for **winsetupdiag02**.
+3. Double-click the event that is highlighted.
+
+Note: For legacy operating systems, the Event Name was WinSetupDiag01.
+
+Ten parameters are listed in the event:
+
+
+
P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool)
+
P2: Setup Mode (x=default,1=Downlevel,5=Rollback)
+
P3: New OS Architecture (x=default,0=X86,9=AMD64)
+
P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked)
+
P5: Result Error Code (Ex: 0xc1900101)
+
P6: Extend Error Code (Ex: 0x20017)
+
P7: Source OS build (Ex: 9600)
+
P8: Source OS branch (not typically available)
+
P9: New OS build (Ex: 16299}
+
P10: New OS branch (Ex: rs3_release}
+
+
+The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below.
+
+
+
## Log files
Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code.
+Note: Also see the [Windows Error Reporting](#windows-error-reporting) section in this document for help locating error codes and log files.
+
The following table describes some log files and how to use them for troubleshooting purposes:
@@ -412,7 +508,7 @@ The device install log is particularly helpful if rollback occurs during the sys
Cause
A driver has caused an illegal operation.
Windows was not able to migrate the driver, resulting in a rollback of the operating system.
- This is a safeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
+ This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
@@ -515,7 +611,7 @@ Disconnect all peripheral devices that are connected to the system, except for t
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
- Typically there is a a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
+ Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
1. Make sure you have enough disk space.
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
@@ -684,7 +780,7 @@ The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DAT
Mitigation
-[Analyze log files](#analyze-log-files) in order to determine the files or registry entires that are blocking data migration.
+[Analyze log files](#analyze-log-files) in order to determine the files or registry entries that are blocking data migration.
This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.
@@ -878,8 +974,8 @@ Download and run the media creation tool. See [Download windows 10](https://www.
0x8007007E
-
Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downlaoded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.
-
Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadate before you installed the hotfix.
+
Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.
+
Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following:
@@ -964,5 +1060,3 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=resolve-windows-10-upgrade-errors.md).
\ No newline at end of file
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
new file mode 100644
index 0000000000..2118867a21
--- /dev/null
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -0,0 +1,69 @@
+---
+title: Submit Windows 10 upgrade errors using Feedback Hub
+description: Submit Windows 10 upgrade errors for diagnosis using feedback hub
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.date: 02/01/2018
+ms.localizationpriority: high
+---
+
+# Submit Windows 10 upgrade errors using Feedback Hub
+
+**Applies to**
+- Windows 10
+
+## In this topic
+
+This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub.
+
+## About the Feedback Hub
+
+The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/en-us/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0).
+
+The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically.
+
+## Submit feedback
+
+To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md)
+
+The Feedback Hub will open.
+
+- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**.
+- Under **Give us more detail**, provide additional information about the failed upgrade, such as:
+ - When did the failure occur?
+ - Were there any reboots?
+ - How many times did the system reboot?
+ - How did the upgrade fail?
+ - Were any error codes visible?
+ - Did the computer fail to a blue screen?
+ - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back?
+- Additional details
+ - What type of security software is installed?
+ - Is the computer up to date with latest drivers and firmware?
+ - Are there any external devices connected?
+- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**.
+
+You can attach a screenshot or file if desired. This is optional.
+
+Click **Submit** to send your feedback.
+
+See the following example:
+
+
+
+After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided.
+
+## Link to your feedback
+
+After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed.
+
+
+
+## Related topics
+
+[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx)
+
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
index bb097f89bb..a837d861dc 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
@@ -24,16 +24,16 @@ If you still don’t see data in Upgrade Readiness, follow these steps:
## Disable Upgrade Readiness
-If you want to stop using Upgrade Readiness and stop sending telemetry data to Microsoft, follow these steps:
+If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps:
1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
-2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**:
+2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**:
**Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
- **Windows 10**: Follow the instructions in the [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#enterprise-management) topic.
+ **Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic.
3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
4. You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**.
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 70e29d0699..5c45338c1d 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -18,7 +18,7 @@ This topic provides information on additional features that are available in Upg
The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
> [!NOTE]
-> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, data will be collected on all sites visited by Microsoft Edge on computers running Windows 10 version 1803 (including Insider Preview builds) or newer. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, data will be collected on all sites visited by Microsoft Edge on computers running Windows 10 version 1803 (including Insider Preview builds) or newer. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
### Install prerequisite security update for Internet Explorer
@@ -27,7 +27,7 @@ Ensure the following prerequisites are met before using site discovery:
1. Install the prerequisite KBs to add Site Discovery support and the latest fixes from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). Install the following:
- For Windows 7 and Windows 8.1 - March, 2017 (or later) Security Monthly Rollup
- For Windows 10 - Cumulative Update for Windows 10 Version 1607 (KB4015217) (or later)
-2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 you must set computers to the **Enhanced Telemetry Level** for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
+2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 you must set computers to the **Enhanced** diagnostic data level for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
If you do not plan to use the Upgrade Readiness deployment script to enable Site discovery, you must create the following registry entry.
diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md
index a37441da3e..fd7e2605ab 100644
--- a/windows/deployment/upgrade/upgrade-readiness-architecture.md
+++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md
@@ -8,7 +8,7 @@ ms.date: 04/25/2017
# Upgrade Readiness architecture
-Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation.
+Microsoft analyzes system, application, and driver diagnostic data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation.
@@ -47,13 +47,13 @@ Important: You can use either a Microsoft Account or a Work or School account to
Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
-## Telemetry and data sharing
+## Diagnostic data and data sharing
After you’ve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness.
-See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
+See [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) for more information about how Microsoft uses Windows diagnostic data.
-**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
+**Whitelist diagnostic data endpoints.** To enable diagnostic data to be sent to Microsoft, you’ll need to whitelist the following Microsoft endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
`https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://vortex-win.data.microsoft.com/health/keepalive`
@@ -68,7 +68,7 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
**Subscribe your OMS workspace to Upgrade Readiness.** For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Readiness.
-**Enable telemetry and connect data sources.** To allow Upgrade Readiness to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Readiness and user computers. You’ll need to connect Upgrade Readiness to your data sources and enable telemetry to establish communication.
+**Enable diagnostic data and connect data sources.** To allow Upgrade Readiness to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Readiness and user computers. You’ll need to connect Upgrade Readiness to your data sources and enable diagnostic data to establish communication.
**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
@@ -82,7 +82,7 @@ Before you get started configuring Upgrade Anatlyics, review the following tips
**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
-**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
+**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
### Tips
diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
index b75afc225b..58ffa25e69 100644
--- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
+++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
@@ -141,7 +141,7 @@ Applications and drivers that are meet certain criteria to be considered low ris
The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system.
-The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in telemetry. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well.
+The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in diagnostic data. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well.
Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**. This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app.
diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
index 15cd2c2bf3..d74712221f 100644
--- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
+++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
@@ -54,7 +54,7 @@ Select **Total computers** for a list of computers and details about them, inclu
- Computer model
- Operating system version and build
- Count of system requirement, application, and driver issues per computer
-- Upgrade assessment based on analysis of computer telemetry data
+- Upgrade assessment based on analysis of computer diagnostic data
- Upgrade decision status
Select **Total applications** for a list of applications discovered on user computers and details about them, including:
diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
index 8b8805f491..f0f332312c 100644
--- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -10,7 +10,7 @@ ms.date: 08/30/2017
You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
-- Based on telemetry data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 216a6f5003..359c1cb9bc 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -8,7 +8,7 @@ ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
-ms.date: 10/17/2017
+ms.date: 01/18/2018
---
# Windows 10 edition upgrade
@@ -41,7 +41,7 @@ X = unsupported
-->
| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
-|-----------------| ------------------------------------ | ---- ----------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
+|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
| **Home > Pro** |  |  |  |  |  |  |
| **Home > Pro for Workstations** |  |  |  |  |  |  |
| **Home > Pro Education** |  |  |  |  |  |  |
@@ -63,7 +63,7 @@ X = unsupported
| **Mobile > Mobile Enterprise** |  | |  |  |  |  |
> [!NOTE]
-> Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
+> Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
## Upgrade using mobile device management (MDM)
@@ -114,4 +114,4 @@ If you do not have a product key, you can upgrade your edition of Windows 10 th
**Note** If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
-
\ No newline at end of file
+
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 8ea5f17517..4ac4288fcb 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
-ms.date: 10/16/2017
+ms.date: 01/18/2018
---
# Windows 10 upgrade paths
@@ -22,7 +22,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
>**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported. (Note that Windows 10 LTSB 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSB 2016 release, which will now only allow data-only and clean install options.)
->**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
✔ = Full upgrade is supported including personal data, settings, and applications.
D = Edition downgrade; personal data is maintained, applications and settings are removed.
@@ -338,8 +338,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-upgrade-paths.md).
-
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 606126289a..d07f18d62b 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -47,9 +47,6 @@ There are some scenarios in which the use of USMT is not recommended. These incl
## Related topics
- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=usmt-overview.md).
-
-
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 6e860e2cc2..1560a368a5 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -139,4 +139,4 @@ For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KM
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=activate-using-key-management-service-vamt.md).
+
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 5fcff300eb..bab7d12f57 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -269,5 +269,3 @@ The deployment process for the replace scenario is as follows:
- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357)
- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358)
- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359)
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-deployment-scenarios.md).
\ No newline at end of file
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index eaa780ed07..b9b4727e55 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -22,5 +22,3 @@ Learn about the tools available to deploy Windows 10.
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-deployment-tools.md).
\ No newline at end of file
diff --git a/windows/deployment/windows-10-deployment-workflow.md b/windows/deployment/windows-10-deployment-workflow.md
index 51797cdd0a..5ac7695ecb 100644
--- a/windows/deployment/windows-10-deployment-workflow.md
+++ b/windows/deployment/windows-10-deployment-workflow.md
@@ -12,6 +12,3 @@ ms.date: 12/4/2017
# Windows 10 deployment workflow
-
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-deployment-tools.md).
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md
index fc800da02b..86055c3cf1 100644
--- a/windows/deployment/windows-autopilot/windows-10-autopilot.md
+++ b/windows/deployment/windows-autopilot/windows-10-autopilot.md
@@ -77,7 +77,7 @@ Once devices are registered, these are the OOBE customization options available
* Skipping Work or Home usage selection (*Automatic*)
* Skipping OEM registration, OneDrive and Cortana (*Automatic*)
* Skipping privacy settings
-* Skipping EULA (*staring with Windows 10, version 1709*)
+* Skipping EULA (*starting with Windows 10, version 1709*)
* Preventing the account used to set-up the device from getting local administrator permissions
For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options:
@@ -129,5 +129,3 @@ If you are planning to configure devices with traditional on-premises or cloud-b
If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-auto-pilot.md).
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index 13af847a45..5bfecea364 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -112,14 +112,14 @@
## [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
## [Device Guard deployment guide](device-guard/device-guard-deployment-guide.md)
-### [Introduction to Device Guard: virtualization-based security and code integrity policies](device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+### [Introduction to Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
### [Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md)
### [Planning and getting started on the Device Guard deployment process](device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md)
-### [Deploy Device Guard: deploy code integrity policies](device-guard/deploy-device-guard-deploy-code-integrity-policies.md)
-#### [Optional: Create a code signing certificate for code integrity policies](device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
-#### [Deploy code integrity policies: policy rules and file rules](device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md)
-#### [Deploy code integrity policies: steps](device-guard/deploy-code-integrity-policies-steps.md)
-#### [Deploy catalog files to support code integrity policies](device-guard/deploy-catalog-files-to-support-code-integrity-policies.md)
+### [Deploy WDAC](device-guard/deploy-windows-defender-application-control.md)
+#### [Optional: Create a code signing certificate for WDAC](device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
+#### [Deploy WDAC: policy rules and file rules](device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
+#### [Steps to deploy WDAC](device-guard/steps-to-deploy-windows-defender-application-control.md)
+#### [Deploy catalog files to support WDAC](device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md)
#### [Deploy Managed Installer for Device Guard](device-guard/deploy-managed-installer-for-device-guard.md)
### [Deploy Device Guard: enable virtualization-based security](device-guard/deploy-device-guard-enable-virtualization-based-security.md)
diff --git a/windows/device-security/applocker/applocker-overview.md b/windows/device-security/applocker/applocker-overview.md
index 3e7f222457..1af9eefb4c 100644
--- a/windows/device-security/applocker/applocker-overview.md
+++ b/windows/device-security/applocker/applocker-overview.md
@@ -136,4 +136,3 @@ For reference in your security planning, the following table identifies the base
| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=applocker-overview.md).
\ No newline at end of file
diff --git a/windows/device-security/applocker/understanding-applocker-rule-exceptions.md b/windows/device-security/applocker/understanding-applocker-rule-exceptions.md
index bd2a39dec4..c7817633da 100644
--- a/windows/device-security/applocker/understanding-applocker-rule-exceptions.md
+++ b/windows/device-security/applocker/understanding-applocker-rule-exceptions.md
@@ -20,7 +20,9 @@ This topic describes the result of applying AppLocker rule exceptions to rule co
You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset.
-For example, the rule "Allow Everyone to run Windows except Registry Editor" allows everyone in the organization to run Windows but does not allow anyone to run Registry Editor. The effect of this rule would prevent users such as help desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor.
+For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but does not allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception of the rule).
+The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks.
+To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor.
## Related topics
diff --git a/windows/device-security/bitlocker/bitlocker-basic-deployment.md b/windows/device-security/bitlocker/bitlocker-basic-deployment.md
index aff7061622..9a2d09f6a4 100644
--- a/windows/device-security/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/device-security/bitlocker/bitlocker-basic-deployment.md
@@ -182,8 +182,9 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
-
-### Encrypting volumes using the manage-bde command line interface
+
+
+## Encrypting volumes using the manage-bde command line interface
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx).
Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
@@ -240,9 +241,8 @@ A common protector for a data volume is the password protector. In the example b
manage-bde -protectors -add -pw C:
manage-bde -on C:
```
-## Using manage-bde to encrypt volumes with BitLocker
-### Encrypting volumes using the BitLocker Windows PowerShell cmdlets
+## Encrypting volumes using the BitLocker Windows PowerShell cmdlets
Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
@@ -442,9 +442,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "
```
> **Note:** Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
-## Using PowerShell to encrypt volumes with BitLocker
-
-### Checking BitLocker status
+## Checking BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
@@ -523,7 +521,7 @@ Decryption with Windows PowerShell cmdlets is straightforward, similar to manage
Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is:
``` syntax
-DisableBitLocker
+Disable-BitLocker
```
If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
index f5b8556426..b56af7542a 100644
--- a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
@@ -30,8 +30,6 @@ BitLocker is a data protection feature that encrypts the hard drives on your com
- [BitLocker Network Unlock](#bkmk-bnusect)
- [Other questions](#bkmk-other)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=bitlocker-frequently-asked-questions.md).
-
## Overview and requirements
### How does BitLocker work?
diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md
index 3982df4fb6..41f2b07751 100644
--- a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md
@@ -1856,7 +1856,7 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc
Conflicts
-
If the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is enabled and PCR 7 is omitted, BitLocker is prevented from using Secure Boot for platform or BCD integrity validation.
+
If you enable **Allow Secure Boot for integrity validation**, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.
diff --git a/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 247cea5fb2..7ed9c2166c 100644
--- a/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -260,7 +260,7 @@ After adding the Network Unlock template to the Certification Authority, this ce
By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
-The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests.
+The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests.
The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
@@ -335,6 +335,7 @@ Files to gather when troubleshooting BitLocker Network Unlock include:
## Configure Network Unlock Group Policy settings on earlier versions
Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008.
+
**Requirements**
- The server hosting WDS must be running any of the server operating systems designated in the **Applies To** list at the beginning of this topic.
diff --git a/windows/device-security/bitlocker/bitlocker-overview.md b/windows/device-security/bitlocker/bitlocker-overview.md
index 0448f42948..37b3f8e0ef 100644
--- a/windows/device-security/bitlocker/bitlocker-overview.md
+++ b/windows/device-security/bitlocker/bitlocker-overview.md
@@ -83,4 +83,4 @@ When installing the BitLocker optional component on a server you will also need
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=bitlocker-overview.md).
+
diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
similarity index 95%
rename from windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
rename to windows/device-security/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
index 3c9fd5f347..1cdb8061a7 100644
--- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -29,7 +29,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
1. Be sure that a WDAC policy is currently deployed in audit mode on the computer on which you will run Package Inspector.
- Package Inspector does not always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. You can use the WDAC policy that you created and audited in [Create a Windows Defender Application Control policy from a reference computer](deploy-code-integrity-policies-steps.md#create-a-windows-defender-application-control-policy-from-a-reference-computer) and [Audit Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#audit-windows-defender-application-control-policies).
+ Package Inspector does not always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. You can use the WDAC policy that you created and audited in [Create a Windows Defender Application Control policy from a reference computer](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-from-a-reference-computer) and [Audit Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#audit-windows-defender-application-control-policies).
> **Note** This process should **not** be performed on a system with an enforced Windows Defender Application Control policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application unless the policy already allows it.
@@ -108,7 +108,7 @@ In this section, you sign a catalog file you generated by using PackageInspector
- An internal certification authority (CA) code signing certificate or purchased code signing certificate
-If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) for a walkthrough of how to create one. That topic uses an example certificate name of **ContosoDGSigningCert**, and the procedure that follows uses that example certificate name to sign the catalog file that you created in [Create catalog files](#create-catalog-files), earlier in this topic. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate.
+If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) for a walkthrough of how to create one. That topic uses an example certificate name of **ContosoDGSigningCert**, and the procedure that follows uses that example certificate name to sign the catalog file that you created in [Create catalog files](#create-catalog-files), earlier in this topic. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate.
To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session.
@@ -120,7 +120,7 @@ To sign the existing catalog file, copy each of the following commands into an e
> **Note** This example specifies the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, update the *$ExamplePath* and *$CatFileName* variables with the correct information.
-2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. This example uses the certificate name from [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. This example uses the certificate name from [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
3. Sign the catalog file with Signtool.exe:
@@ -156,7 +156,7 @@ After the catalog file is signed, add the signing certificate to a WDAC policy,
` Add-SignerRule -FilePath -CertificatePath -User `
-If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#merge-windows-defender-application-control-policies).
+If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#merge-windows-defender-application-control-policies).
## Deploy catalog files with Group Policy
@@ -338,9 +338,9 @@ At the time of the next software inventory cycle, when the targeted clients rece
## Related topics
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
index 524725b8f7..ab3baf28eb 100644
--- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
@@ -70,7 +70,7 @@ If you don't want to use the [hardware readiness tool](https://www.microsoft.com
5. Select the **Enabled** button. For **Select Platform Security Level**:
- **Secure Boot** provides as much protection as a computer’s hardware can support. If the computer does not have input/output memory management units (IOMMUs), enable **Secure Boot**.
- - **Secure Boot with DMA** enables Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can have WDAC enabled. For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+ - **Secure Boot with DMA** enables Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can have WDAC enabled. For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
For **Virtualization Based Protection of Code Integrity**:
@@ -93,7 +93,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
> [!IMPORTANT]
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled. For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled. For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 1607 and above
@@ -289,6 +289,6 @@ Figure 6. Windows Defender Device Guard properties in the System Summary
## Related topics
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
index ef1f576075..c3cefa3e19 100644
--- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
+++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
@@ -29,7 +29,7 @@ If there are no deny rules present for the file, it will be authorized based on
> Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer.
>
> Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps.
-> Admins can reference and customize them as needed for their Windows Defender Application Control deployment or create a custom WDAC policy as described in [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md#create-a-windows-defender-application-control-policy-from-a-reference-computer).
+> Admins can reference and customize them as needed for their Windows Defender Application Control deployment or create a custom WDAC policy as described in [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-from-a-reference-computer).
## Configuring a managed installer with AppLocker and Windows Defender Application Control
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/device-security/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
similarity index 96%
rename from windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
rename to windows/device-security/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
index 4dc169b2f3..3b2d35881e 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/device-security/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
@@ -16,10 +16,10 @@ ms.date: 10/20/2017
- Windows Server 2016
Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of WDAC, see:
-- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats) in "Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control."
+- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats) in "Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control."
- [Windows Defender Application Control policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-application-control-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
-If you already understand the basics of WDAC and want procedures for creating, auditing, and merging WDAC policies, see [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md).
+If you already understand the basics of WDAC and want procedures for creating, auditing, and merging WDAC policies, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
This topic includes the following sections:
@@ -36,7 +36,7 @@ A common system imaging practice in today’s IT organization is to establish a
Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
-If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
## Windows Defender Application Control policy rules
@@ -120,5 +120,5 @@ They could also choose to create a catalog that captures information about the u
## Related topics
-- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats)
-- [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md)
+- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats)
+- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md b/windows/device-security/device-guard/deploy-windows-defender-application-control.md
similarity index 80%
rename from windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
rename to windows/device-security/device-guard/deploy-windows-defender-application-control.md
index 73677dec64..8becbe0a0e 100644
--- a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-windows-defender-application-control.md
@@ -17,10 +17,10 @@ ms.date: 10/20/2017
This section includes the following topics:
-- [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
-- [Deploy Windows Defender Application Control: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
-- [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md)
-- [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md)
+- [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
+- [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
+- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
+- [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md)
- [Deploy Managed Installer for Windows Defender Application Control](deploy-managed-installer-for-device-guard.md)
To increase the protection for devices that meet certain hardware requirements, you can use virtualization-based protection of code integrity with your Windows Defender Application Control (WDAC) policies.
@@ -29,5 +29,5 @@ To increase the protection for devices that meet certain hardware requirements,
## Related topics
-[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md
index 19bc9e6601..0408fa63d3 100644
--- a/windows/device-security/device-guard/device-guard-deployment-guide.md
+++ b/windows/device-security/device-guard/device-guard-deployment-guide.md
@@ -22,21 +22,21 @@ Windows Defender Device Guard also uses virtualization-based security to isolate
This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
- [Requirements and deployment planning guidelines for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
- - [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
+ - [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
- - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
+ - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
- - [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md)
+ - [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
- - [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md)
+ - [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md)
- [Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
similarity index 94%
rename from windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
rename to windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 0e87f67867..a1b6bbcab8 100644
--- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
+++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -42,7 +42,7 @@ In this guide, you learn about the individual features found within Windows Defe
Prior to Windows 10, version 1709, Windows Defender Application Control (WDAC) was known as configurable code integrity policies.
-Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins).
+Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](steps-to-deploy-windows-defender-application-control.md#use-a-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules).
## Tools for managing Windows Defender Device Guard features
@@ -53,18 +53,18 @@ You can easily manage Windows Defender Device Guard features by using familiar e
- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable WDAC policies for your organization. Another template allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Windows Defender Device Guard features. In addition to these WDAC and hardware-based security features, you can use Group Policy to help you manage your catalog files.
- For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Windows Defender Device Guard features help protect against threats](#how-windows-defender-device-guard-features-help-protect-against-threats), earlier in this topic.
- - For information about using Group Policy as a deployment tool, see: [Deploy catalog files with Group Policy](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-group-policy) [Deploy and manage WDAC with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
+ - For information about using Group Policy as a deployment tool, see: [Deploy catalog files with Group Policy](deploy-catalog-files-to-support-windows-defender-application-control.md#deploy-catalog-files-with-group-policy) [Deploy and manage WDAC with Group Policy](steps-to-deploy-windows-defender-application-control.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
-- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, WDAC policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-system-center-configuration-manager).
+- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, WDAC policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-windows-defender-application-control.md#deploy-catalog-files-with-system-center-configuration-manager).
- **Microsoft Intune**. You can use Microsoft Intune to simplify deployment and management of WDAC policies, as well as provide version control. In a future release of Microsoft Intune, Microsoft is considering including features that will support the deployment and management of catalog files.
-- **Windows PowerShell**. You can use Windows PowerShell to create and service WDAC policies. For more information, see [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md).
+- **Windows PowerShell**. You can use Windows PowerShell to create and service WDAC policies. For more information, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
These options provide the same experience you're used to in order to manage your existing enterprise management solutions.
For more information about the deployment of Windows Defender Device Guard features, see:
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
- [Deploy virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
## Other features that relate to Windows Defender Device Guard
diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
similarity index 95%
rename from windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
rename to windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
index 42a717bb3d..668316004b 100644
--- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
+++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
@@ -15,7 +15,7 @@ ms.date: 10/20/2017
- Windows 10
- Windows Server 2016
-As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md).
+As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md).
If you have an internal CA, complete these steps to create a code signing certificate.
Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded.
@@ -99,7 +99,7 @@ When the certificate has been exported, import it into the personal store for th
## Related topics
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
index 30e5408409..b2c2cb7926 100644
--- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -19,7 +19,7 @@ This topic provides a roadmap for planning and getting started on the Windows De
## Planning
-1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).
+1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).
2. **Group devices by degree of control needed**. Group devices according to the table in [Windows Defender Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices? Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
@@ -33,42 +33,42 @@ This topic provides a roadmap for planning and getting started on the Windows De
- Is there already a list of accepted applications? A list of accepted applications can be used to help create a baseline WDAC policy. As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
- In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. You can also fine-tune your control by using Windows Defender Application Control in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#windows-defender-device-guard-with-applocker).
+ In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. You can also fine-tune your control by using Windows Defender Application Control in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#windows-defender-device-guard-with-applocker).
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
- Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md).
+ Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
-4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
+4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
## Getting started on the deployment process
-1. **Optionally, create a signing certificate for Windows Defender Application Control**. As you deploy WDAC, you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+1. **Optionally, create a signing certificate for Windows Defender Application Control**. As you deploy WDAC, you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
2. **Create WDAC policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly-distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing WDAC policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a WDAC policy, and decide how to manage that policy. You can merge WDAC policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. For more information, see:
- - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
- - [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md)
+ - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
+ - [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
-3. **Audit the WDAC policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each WDAC policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. For more information, see [Audit Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#audit-windows-defender-application-control-policies).
+3. **Audit the WDAC policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each WDAC policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. For more information, see [Audit Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#audit-windows-defender-application-control-policies).
-4. **Create a “catalog file” for unsigned LOB applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. For more information, review step 4 **Identify LOB applications that are currently unsigned**, earlier in this list, and see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md). In later steps, you can merge the catalog file's signature into your WDAC policy, so that applications in the catalog will be allowed by the policy.
+4. **Create a “catalog file” for unsigned LOB applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. For more information, review step 4 **Identify LOB applications that are currently unsigned**, earlier in this list, and see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). In later steps, you can merge the catalog file's signature into your WDAC policy, so that applications in the catalog will be allowed by the policy.
6. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a WDAC policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge WDAC policies from other sources also, for flexibility in how you create your final WDAC policies. For more information, see:
- - [Create a Windows Defender Application Control policy that captures audit information from the event log](deploy-code-integrity-policies-steps.md#create-a-windows-defender-application-control-policy-that-captures-audit-information-from-the-event-log)
- - [Merge Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#merge-windows-defender-application-control-policies)
+ - [Create a Windows Defender Application Control policy that captures audit information from the event log](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-that-captures-audit-information-from-the-event-log)
+ - [Merge Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#merge-windows-defender-application-control-policies)
7. **Deploy WDAC policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking WDAC policies out of auditing mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and WDAC policies more broadly. For more information, see:
- - [Enforce Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#enforce-windows-defender-application-control-policies)
- - [Deploy and manage Windows Defender Application Control with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
+ - [Enforce Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#enforce-windows-defender-application-control-policies)
+ - [Deploy and manage Windows Defender Application Control with Group Policy](steps-to-deploy-windows-defender-application-control.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
-8. **Enable desired virtualization-based security (VBS) features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+8. **Enable desired virtualization-based security (VBS) features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> [!WARNING]
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 52e334ee8c..418d67676f 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -23,7 +23,7 @@ The information in this article is intended for IT professionals, and provides a
To deploy Windows Defender Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
-For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Windows Defender Device Guard, see [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md).
+For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Windows Defender Device Guard, see [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md).
You can deploy Windows Defender Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
@@ -33,7 +33,7 @@ You can deploy Windows Defender Device Guard in phases, and plan these phases in
The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
> **Notes**
-> • To understand the requirements in the following tables, you will need to be familiar with the main features in Windows Defender Device Guard: Windows Defender Application Control (WDAC), virtualization-based protection of code integrity, and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+> • To understand the requirements in the following tables, you will need to be familiar with the main features in Windows Defender Device Guard: Windows Defender Application Control (WDAC), virtualization-based protection of code integrity, and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
## Baseline protections
@@ -139,7 +139,7 @@ After you have created and signed your catalog files, you can configure your WDA
> **Note** Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
-For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md).
+For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
## Windows Defender Application Control policy formats and signing
@@ -152,6 +152,6 @@ When the WDAC policy is deployed, it restricts the software that can run on a de
## Related topics
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md
similarity index 97%
rename from windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
rename to windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md
index 2b14a66d3f..380dfc0e0c 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md
@@ -9,13 +9,13 @@ author: brianlic-msft
ms.date: 11/02/2017
---
-# Deploy Windows Defender Application Control: steps
+# Steps to Deploy Windows Defender Application Control
**Applies to**
- Windows 10
- Windows Server 2016
-For an overview of the process described in the following procedures, see [Deploy Windows Defender Application Control: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of Windows Defender Application Control (WDAC) fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+For an overview of the process described in the following procedures, see [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md). To understand how the deployment of Windows Defender Application Control (WDAC) fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
## Create a Windows Defender Application Control policy from a reference computer
@@ -33,7 +33,7 @@ Each installed software application should be validated as trustworthy before yo
We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable.
Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts.
You can remove or disable such software on the reference computer.
-You can also fine-tune your control by [using Windows Defender Application Control in combination with AppLocker](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#windows-defender-device-guard-with-applocker).
+You can also fine-tune your control by [using Windows Defender Application Control in combination with AppLocker](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#windows-defender-device-guard-with-applocker).
Members of the security community\* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
@@ -708,7 +708,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
- > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in “Deploy Windows Defender Application Control: policy rules and file rules.”
+ > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in “Deploy Windows Defender Application Control: policy rules and file rules.”
> - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
@@ -768,7 +768,7 @@ When WDAC policies are run in audit mode, it allows administrators to discover a
You will be reviewing the exceptions that appear in the event log, and making a list of any applications that should be allowed to run in your environment.
-6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your WDAC policy, this is a good time to create it. For information, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md).
+6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your WDAC policy, this is a good time to create it. For information, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in the event log. This is described in the next section.
@@ -780,7 +780,7 @@ Use the following procedure after you have been running a computer with a WDAC p
1. Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications.
- Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in "Deploy Windows Defender Application Control: policy rules and file rules."
+ Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in "Deploy Windows Defender Application Control: policy rules and file rules."
Your event log might also contain exceptions for applications that you eventually want your WDAC policy to block. If these appear, make a list of these also, for a later step in this procedure.
@@ -808,7 +808,7 @@ You can now use this file to update the existing WDAC policy that you ran in aud
> [!Note]
> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
-## Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
+## Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):
@@ -922,9 +922,9 @@ With this in mind, it is much more difficult to remove signed WDAC policies.
Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](#audit-windows-defender-application-control-policies) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
-If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA.
+If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) to create one with your on-premises CA.
-Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#windows-defender-application-control-policy-rules) in "Deploy Windows Defender Application Control: policy rules and file rules."
+Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-policy-rules) in "Deploy Windows Defender Application Control: policy rules and file rules."
To sign a WDAC policy with SignTool.exe, you need the following components:
@@ -934,7 +934,7 @@ To sign a WDAC policy with SignTool.exe, you need the following components:
- An internal CA code signing certificate or a purchased code signing certificate
-If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
+If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
1. Initialize the variables that will be used:
@@ -947,7 +947,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
> [!Note]
> This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
-2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
@@ -1092,7 +1092,7 @@ To deploy and manage a WDAC policy with Group Policy:
## Related topics
-[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
[Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
diff --git a/windows/hub/images/W10-WaaS-poster-old.PNG b/windows/hub/images/W10-WaaS-poster-old.PNG
new file mode 100644
index 0000000000..d3887faf89
Binary files /dev/null and b/windows/hub/images/W10-WaaS-poster-old.PNG differ
diff --git a/windows/hub/images/W10-WaaS-poster.PNG b/windows/hub/images/W10-WaaS-poster.PNG
index d3887faf89..de2251a9f2 100644
Binary files a/windows/hub/images/W10-WaaS-poster.PNG and b/windows/hub/images/W10-WaaS-poster.PNG differ
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 7e87fea288..7d1f965f9d 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -8,59 +8,59 @@ author: greg-lindsay
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.date: 12/18/2017
+ms.date: 02/02/2018
---
# Windows 10 and Windows 10 Mobile
Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
-
Threat Protection
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 30f102d99c..58317c1029 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -254,6 +254,7 @@
#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
+#### [Troubleshoot Exploit protection mitigations](windows-defender-exploit-guard\troubleshoot-exploit-protection-mitigations.md)
### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
@@ -269,8 +270,7 @@
#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
-
-
+## [Windows Defender Application Control](windows-defender-application-control.md)
## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md
index 6f573cc55e..2509a33e83 100644
--- a/windows/threat-protection/change-history-for-threat-protection.md
+++ b/windows/threat-protection/change-history-for-threat-protection.md
@@ -12,6 +12,12 @@ ms.date: 10/31/2017
# Change history for threat protection
This topic lists new and updated topics in the [Threat protection](index.md) documentation.
+## January 2018
+|New or changed topic |Description |
+|---------------------|------------|
+|[Windows Defender Application Control](windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
+
+
## October 2017
|New or changed topic |Description |
|---------------------|------------|
diff --git a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index b9e507ecb2..6ab49143bd 100644
--- a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -651,4 +651,4 @@ You can get more info with the following links:
- [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx)
- [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md).
+
diff --git a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 4c6000558a..6e8c26d829 100644
--- a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -17,7 +17,7 @@ ms.date: 07/27/2017
On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) if they have not already done so.
-Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
+Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 116f576b83..f44c485e39 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -35,7 +35,7 @@ See the Enterprise Mobility and Security blog post [Important changes to Microso
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>- Cloud-delivered protection
->- Fast learning (including Black at first sight)
+>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
## Allow connections to the Windows Defender Antivirus cloud
@@ -133,10 +133,10 @@ https://msdl.microsoft.com/download/symbols
Universal Telemetry Client
-Used by Windows to send client telemetry, Windows Defender Antivirus uses this for product quality monitoring purposes
+Used by Windows to send client diagnostic data, Windows Defender Antivirus uses this for product quality monitoring purposes
-This update uses SSL (TCP Port 443) to download manifests and upload telemetry to Microsoft that uses the following DNS endpoints:
vortex-win.data.microsoft.com
settings-win.data.microsoft.com
+This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:
vortex-win.data.microsoft.com
settings-win.data.microsoft.com
diff --git a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 0ba067be64..a45301b39d 100644
--- a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -86,7 +86,15 @@ First, you should create your base image according to your business needs, apply
After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
### Seal the base image
-When the base image is fully updated, you should run a quick scan on the image. This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
+When the base image is fully updated, you should run a quick scan on the image.
+
+After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both Windows Defender Antivirus and the Microsoft Security Removal Tool. This key is located here:
+
+'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT'
+
+Remove the string found in the 'GUID' value
+
+This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
diff --git a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index a5b99ca287..2636c7abd9 100644
--- a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ If you're an enterprise security administrator, and you want to determine how we
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
>- Cloud-delivered protection
->- Fast learning (including Black at first sight)
+>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
@@ -43,7 +43,7 @@ The guide is available in PDF format for offline viewing:
- [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795)
You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
-- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.0/DisplayScript)
+- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.2/DisplayScript)
> [!IMPORTANT]
> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus protection. Enabling all of the settings in this guide may not be suitable for real-world deployment.
diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index f5ba563109..0dd2646921 100644
--- a/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -51,7 +51,7 @@ In order for devices to properly show up in Update Compliance, you have to meet
>- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
> - [Cloud-delivered protection is enabled](enable-cloud-protection-windows-defender-antivirus.md).
> - Endpoints can [connect to the Windows Defender AV cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud)
-> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 telemetry must be set to the Enhanced level](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level).
+> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
> - It has been 3 days since all requirements have been met
If the above pre-requisites have all been met, you may need to proceed to the next step to collect diagnostic information and send it to us.
diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index 430f6c2ae2..3b17d0a161 100644
--- a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -37,7 +37,7 @@ The tables list:
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>- Cloud-delivered protection
->- Fast learning (including Black at first sight)
+>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index 6aeb1bf74e..c2a9edb814 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -46,7 +46,7 @@ Some of the highlights of Windows Defender AV include:
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
>- Cloud-delivered protection
->- Fast learning (including Black at first sight)
+>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
## What's new in Windows 10, version 1703
diff --git a/windows/threat-protection/windows-defender-application-control.md b/windows/threat-protection/windows-defender-application-control.md
new file mode 100644
index 0000000000..74adeafb06
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-control.md
@@ -0,0 +1,49 @@
+---
+title: Windows Defender Application Control (WDAC) (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 01/24/2018
+---
+
+# Windows Defender Application Control
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016
+
+With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
+In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative.
+
+However, when a user runs a process, that process has the same level of access to data that the user has.
+As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software.
+
+Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions.
+Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run.
+Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
+
+Windows Defender Application Control (WDAC) can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel).
+WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-5.1).
+
+> [!NOTE]
+> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies.
+
+## WDAC System Requirements
+
+WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016.
+They can be applied to computers running any edition of Windows 10 and managed via Mobile Device Management (MDM), such as Microsoft Intune.
+Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016.
+
+## New and changed functionality
+
+Prior to Windows 10, version 1709, Windows Defender Application Control was known as Windows Defender Device Guard configurable code integrity policies.
+
+Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser).
+For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](https://docs.microsoft.com/windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control#use-a-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules).
+
+
diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index 71c3fac2d7..387b02dde9 100644
--- a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -37,7 +37,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| | |
|---|----------------------------|
|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?|
-|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.|
+|**A:** |Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.|
| | |
diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index 5f8a979ddd..7b79f26762 100644
--- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -32,7 +32,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
## Software requirements
-Your environment needs the following hardware to run Windows Defender Application Guard.
+Your environment needs the following software to run Windows Defender Application Guard.
|Software|Description|
|--------|-----------|
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index ad0296fcc4..1da2319b09 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -106,11 +106,11 @@ Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/Wi
Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 Default value: 1 | Windows Defender ATP Sample sharing is enabled
-Configuration for onboarded machines: telemetry reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2 1: Normal (default)
2: Expedite | Windows Defender ATP telemetry reporting
+Configuration for onboarded machines: diagnostic data reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2 1: Normal (default)
2: Expedite | Windows Defender ATP diagnostic data reporting
> [!NOTE]
> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
-> - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703.
+> - Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
> - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
@@ -118,66 +118,6 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
-### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
-
-1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
-
- a. Select **Endpoint management** > **Clients** on the **Navigation pane**.
-
- b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
-
- 
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
-
-3. Login to the [Microsoft Azure portal](https://portal.azure.com).
-
-4. From the Intune blade, choose **Device configuration**.
-
- 
-
-5. Under **Manage**, choose **Profiles** and click **Create Profile**.
-
- 
-
-6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
-
- 
-
-7. Click **Settings** > **Configure**.
-
- 
-
-8. Under Custom OMA-URI Settings, click **Add**.
-
- 
-
-9. Enter the following values, then click **OK**.
-
- 
-
- - **Name**: Type a name for the setting.
- - **Description**: Type a description for the setting.
- - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
- - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
-
-10. Save the settings by clicking **OK**.
-
-11. Click **Create**.
-
- 
-
-12. To deploy the Profile, click **Assignments**.
-
- 
-
-13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
-
- 
-
-14. Click **Save** to finish deploying the Configuration Profile.
-
- 
### Offboard and monitor endpoints
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
index 221265a041..f98fcf98cf 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
@@ -60,7 +60,7 @@ To effectively offboard the endpoints from the service, you'll need to disable t
2. In Windows Defender Security Center portal, select **Endpoint management**> **Non-Windows**.
-3. Toggle the third-party provider switch button to turn stop telemetry from endpoints.
+3. Toggle the third-party provider switch button to turn stop diagnostic data from endpoints.
>[!WARNING]
>If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on endpoints.
diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 3a456f6352..cd4942e214 100644
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -47,7 +47,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
-Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
+Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report diagnostic data and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index 43244d2c7b..79a751c4a0 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -155,7 +155,7 @@ The service could not contact the external processing servers at that URL.
17
Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.
An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.
-
[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
+
[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
32
@@ -241,7 +241,7 @@ If the identifier does not persist, the same machine might appear twice in the p
34
Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
@@ -250,7 +250,7 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
Windows Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```.
An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
-
Check for errors with the Windows telemetry service.
+
Check for errors with the Windows diagnostic data service.
36
diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 05f7de339c..b31dad703f 100644
--- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -72,8 +72,8 @@ Follow theses actions to correct known issues related to a misconfigured machine
- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
-- [Ensure the telemetry and diagnostics service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled)
-If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint.
+- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled)
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 8fc3acc6fa..3027bbe7f9 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -72,13 +72,14 @@ The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to com
For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
-Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10.
+Before you configure endpoints, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
-### Telemetry and diagnostics settings
-You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization.
+
+### Diagnostic data settings
+You must ensure that the diagnostic data service is enabled on all the endpoints in your organization.
By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
-**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
+**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the endpoint:
@@ -100,7 +101,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
-**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
+**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
diff --git a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
index 9469fbc10a..28e6945c58 100644
--- a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
@@ -46,7 +46,7 @@ Parameter | Type | Description
Comment | String | Comment to associate with the action. **Required**.
ScanType| ScanType | Defines the type of the Scan. **Required**.
-**ScanType** controls the type of isolation to perform and can be one of the following:
+**ScanType** controls the type of scan to perform and can be one of the following:
- **Quick** – Perform quick scan on the machine
- **Full** – Perform full scan on the machine
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index b4176ad214..487679607d 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -128,7 +128,7 @@ ID | Severity | Event description | Troubleshooting steps
## Troubleshoot onboarding issues on the endpoint
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
-- [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled)
+- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection)
- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
@@ -176,14 +176,15 @@ Event ID | Message | Resolution steps
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
-### Ensure the telemetry and diagnostics service is enabled
-If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes.
+
+### Ensure the diagnostic data service is enabled
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
### Ensure the service is set to start
-**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
+**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the endpoint:
@@ -204,7 +205,7 @@ First, you should check that the service is set to start automatically when Wind
If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
-**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
+**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 1aba2357ef..2da04a15b8 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -82,11 +82,11 @@ Disable Win32k system calls | Prevents an app from using the Win32k system call
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
>[!IMPORTANT]
>If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@@ -308,4 +308,4 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
\ No newline at end of file
+- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index 1a7b7ba0b7..772ad2e7b0 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -95,5 +95,5 @@ You can review the Windows event log to see events that are created when Network
Topic | Description
---|---
-[Evaluate Network protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created.
-[Enable Network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network protection feature in your network.
\ No newline at end of file
+[Evaluate Network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
+[Enable Network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network protection feature in your network.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
new file mode 100644
index 0000000000..eb71a22518
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
@@ -0,0 +1,217 @@
+---
+title: Deploy Exploit protection mitigations across your organization
+keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
+description: Remove unwanted Exploit protection mitigations.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 01/31/18
+---
+
+
+
+# Troubleshoot Exploit protection mitigations
+
+
+**Applies to:**
+
+- Windows 10, version 1709
+
+
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- PowerShell
+
+
+When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
+
+You can manually remove unwanted mitigations in Windows Defender Security Center, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
+
+1. Remove all process mitigations with this PowerShell script:
+
+ ```PowerShell
+ # Check if Admin-Privileges are available
+ function Test-IsAdmin {
+ ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
+ }
+
+ # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key,
+ # the key is deleted as well
+ function Remove-ProcessMitigations([Object] $Key, [string] $Name) {
+ Try {
+ if ($Key.GetValue("MitigationOptions")) {
+ Write-Host "Removing MitigationOptions for: " $Name
+ Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop;
+ }
+ if ($Key.GetValue("MitigationAuditOptions")) {
+ Write-Host "Removing MitigationAuditOptions for: " $Name
+ Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
+ }
+
+ # Remove the FilterFullPath value if there is nothing else
+ if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
+ Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
+ }
+
+ # If the key is empty now, delete it
+ if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) {
+ Write-Host "Removing empty Entry: " $Name
+ Remove-Item -Path $Key.PSPath -ErrorAction Stop
+ }
+ }
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ }
+ }
+
+ # Delete all ExploitGuard ProcessMitigations
+ function Remove-All-ProcessMitigations {
+ if (!(Test-IsAdmin)) {
+ throw "ERROR: No Administrator-Privileges detected!"; return
+ }
+
+ Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
+ $MitigationItem = $_;
+ $MitigationItemName = $MitigationItem.PSChildName
+
+ Try {
+ Remove-ProcessMitigations $MitigationItem $MitigationItemName
+
+ # "UseFilter" indicate full path filters may be present
+ if ($MitigationItem.GetValue("UseFilter")) {
+ Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object {
+ $FullPathItem = $_
+ if ($FullPathItem.GetValue("FilterFullPath")) {
+ $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath")
+ Write-Host "Removing FullPathEntry: " $Name
+ Remove-ProcessMitigations $FullPathItem $Name
+ }
+
+ # If there are no subkeys now, we can delete the "UseFilter" value
+ if ($MitigationItem.SubKeyCount -eq 0) {
+ Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
+ }
+ }
+ }
+ if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) {
+ Write-Host "Removing empty Entry: " $MitigationItemName
+ Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
+ }
+ }
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ }
+ }
+ }
+
+ # Delete all ExploitGuard System-wide Mitigations
+ function Remove-All-SystemMitigations {
+
+ if (!(Test-IsAdmin)) {
+ throw "ERROR: No Administrator-Privileges detected!"; return
+ }
+
+ $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
+
+ Try {
+ if ($Kernel.GetValue("MitigationOptions"))
+ { Write-Host "Removing System MitigationOptions"
+ Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
+ }
+ if ($Kernel.GetValue("MitigationAuditOptions"))
+ { Write-Host "Removing System MitigationAuditOptions"
+ Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
+ }
+ } Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- System"
+ }
+ }
+
+ Remove-All-ProcessMitigations
+ Remove-All-SystemMitigations
+ ```
+
+2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+If you haven’t already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) to complete your Exploit protection customization.
+
+## Related topics
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit protection](evaluate-exploit-protection.md)
+- [Enable Exploit protection](enable-exploit-protection.md)
+- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png
index b2700addba..e51cd9384c 100644
Binary files a/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png and b/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png differ
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index bd04f6e218..9bffa0146b 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-author: eross-msft
+author: jasongerend
ms.localizationpriority: high
-ms.date: 10/13/2017
+ms.date: 1/26/2018
---
# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
**Applies to:**
@@ -69,7 +69,8 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
## MDM settings
-If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
+If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
+For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
Setting
@@ -84,8 +85,8 @@ If you manage your policies using Microsoft Intune, you'll want to use these MDM
URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
Data type. Integer
Allowed values:
-
0 . Turns off Windows Defender SmartScreen.
-
1. Turns on Windows Defender SmartScreen.
+
0 . Turns off Windows Defender SmartScreen in Edge.
+
1. Turns on Windows Defender SmartScreen in Edge.
@@ -108,8 +109,8 @@ If you manage your policies using Microsoft Intune, you'll want to use these MDM
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
Data type. Integer
Allowed values:
-
0 . Turns off SmartScreen in Windows.
-
1. Turns on SmartScreen in Windows.
+
0 . Turns off SmartScreen in Windows for app and file execution.
+
1. Turns on SmartScreen in Windows for app and file execution.
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 356afd413a..e5b587a7fe 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -43,7 +43,7 @@ Windows Defender SmartScreen helps to provide an early warning system against we
- **Operating system integration.** SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
-- **Improved heuristics and telemetry.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
+- **Improved heuristics and diagnostic data.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
- **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md).
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index f24e15d243..508f23802e 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -50,7 +50,7 @@ Starting with Windows 10, version 1703 your employees can use Windows Defender S
- In the **SmartScreen from Microsoft Store apps** area:
- - **Block** or **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue.
+ - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue.
- **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index c4674a31f4..044e461c43 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -458,7 +458,7 @@ There are no default locations included with WIP, you must add each of your netw
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
>[!Important]
->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.
+>Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic.
**To upload your DRA certificate**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
@@ -530,4 +530,4 @@ Optionally, if you don’t want everyone in your organization to be able to shar
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
>[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/whats-new/images/video-1709.jpg b/windows/whats-new/images/video-1709.jpg
new file mode 100644
index 0000000000..b54fe67cf6
Binary files /dev/null and b/windows/whats-new/images/video-1709.jpg differ
diff --git a/windows/whats-new/images/video-1709s.jpg b/windows/whats-new/images/video-1709s.jpg
new file mode 100644
index 0000000000..7abc313dd8
Binary files /dev/null and b/windows/whats-new/images/video-1709s.jpg differ
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index d16624d948..fb858f7d9e 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -16,8 +16,6 @@ Below is a list of some of the new and updated features in Windows 10, version 1
>[!NOTE]
>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info).
-
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=whats-new-windows-10-version-1607.md).
## Deployment
@@ -37,7 +35,7 @@ Windows ICD now includes simplified workflows for creating provisioning packages
Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Readiness to get:
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index b12c9b5656..3b14218ea5 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -20,8 +20,6 @@ For more general info about Windows 10 features, see [Features available only on
>[!NOTE]
>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=whats-new-windows-10-version-1703.md).
-
## Configuration
### Windows Configuration Designer
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 0fcc66dd1c..8bf610b344 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
-ms.date: 10/26/2017
+ms.date: 01/24/2018
ms.localizationpriority: high
---
@@ -17,9 +17,11 @@ ms.localizationpriority: high
Below is a list of some of the new and updated content that discusses IT Pro features in Windows 10, version 1709, also known as the Fall Creators Update. Windows 10, version 1709 also contains all features and fixes included in previous cumulative updates to Windows 10, version 1703.
-A brief description of new or updated features in this version of Windows 10 is provided, with links to content with more detailed information.
+A brief description of new or updated features in this version of Windows 10 is provided, with links to content with more detailed information. The following 3-minute video summarizes these features.
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+
+
+> [!video https://www.microsoft.com/en-us/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
## Deployment
- 
- 
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- 
- 
- 
- 
- 
- 
- 
