deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20230727-security-book

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-07-27 10:26:40 +02:00
commit ea9c95230b
10 changed files with 324 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.windows-client-management.json
View File

@ -640,6 +640,11 @@
"redirect_url": "/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/policy-csp-cloudpc.md",
"redirect_url": "/windows/client-management/mdm/clouddesktop-csp",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/policy-csp-location.md",
"redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider",

149
windows/client-management/mdm/clouddesktop-csp.md Normal file
View File

@ -0,0 +1,149 @@
---
title: CloudDesktop CSP
description: Learn more about the CloudDesktop CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- CloudDesktop-Begin -->
# CloudDesktop CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- CloudDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudDesktop-Editable-End -->
<!-- CloudDesktop-Tree-Begin -->
The following list shows the CloudDesktop configuration service provider nodes:
- ./Device/Vendor/MSFT/CloudDesktop
- [EnableBootToCloudSharedPCMode](#enableboottocloudsharedpcmode)
<!-- CloudDesktop-Tree-End -->
<!-- Device-EnableBootToCloudSharedPCMode-Begin -->
## EnableBootToCloudSharedPCMode
<!-- Device-EnableBootToCloudSharedPCMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview [10.0.22631.2050] |
<!-- Device-EnableBootToCloudSharedPCMode-Applicability-End -->
<!-- Device-EnableBootToCloudSharedPCMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/CloudDesktop/EnableBootToCloudSharedPCMode
```
<!-- Device-EnableBootToCloudSharedPCMode-OmaUri-End -->
<!-- Device-EnableBootToCloudSharedPCMode-Description-Begin -->
<!-- Description-Source-DDF -->
Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling boot to cloud shared pc feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.
<!-- Device-EnableBootToCloudSharedPCMode-Description-End -->
<!-- Device-EnableBootToCloudSharedPCMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-EnableBootToCloudSharedPCMode-Editable-End -->
<!-- Device-EnableBootToCloudSharedPCMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
<!-- Device-EnableBootToCloudSharedPCMode-DFProperties-End -->
<!-- Device-EnableBootToCloudSharedPCMode-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | Not configured. |
| true | Boot to cloud shared pc mode enabled. |
<!-- Device-EnableBootToCloudSharedPCMode-AllowedValues-End -->
<!-- Device-EnableBootToCloudSharedPCMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-EnableBootToCloudSharedPCMode-Examples-End -->
<!-- Device-EnableBootToCloudSharedPCMode-End -->
<!-- CloudDesktop-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
## EnableBootToCloudSharedPCMode technical reference
EnableBootToCloudSharedPCMode setting is used to configure **Boot to Cloud** feature for shared user mode. When you enable this setting, multiple policies are applied to achieve the intended behavior.
> [!NOTE]
> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared user mode.
### MDM Policies
When this mode is enabled, these MDM policies are applied for the Device scope (all users):
| Setting | Value | Value Description |
|----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
| [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
| [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
| [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider) | Enabled | Configures default credential provider to password provider |
| [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
| [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
### Group Policies
When this mode is enabled, these local group policies are configured for all users:
| Policy setting | Status |
|------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
| Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
| System/Logon/Block user from showing account details on sign-in | Enabled |
| System/Logon/Enumerate local users on domain-joined computers | Disabled |
| System/Logon/Hide entry points for Fast User Switching | Enabled |
| System/Logon/Show first sign-in animation | Disabled |
| System/Logon/Turn off app notifications on the lock screen | Enabled |
| System/Logon/Turn off picture password sign-in | Enabled |
| System/Logon/Turn on convenience PIN sign-in | Disabled |
| Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
| Windows Components/Biometrics/Allow the use of biometrics | Disabled |
| Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
| Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
| Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
| Windows Components/File History/Turn off File History | Enabled |
| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
| Windows Components/Windows Hello for Business/Use biometrics | Disabled |
| Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
| Windows Components/Microsoft Passport for Work | Disabled |
| System/Ctrl+Alt+Del Options/Remove Task Manager | Enabled |
| System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
| Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
| Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
| System/Logon/Do not process the legacy run list | Enabled |
### Registry
When this mode is enabled, these registry changes are performed:
| Registry setting | Status |
|----------------------------------------------------------------------------------------------|--------|
| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
| Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work) | 0 |
<!-- CloudDesktop-CspMoreInfo-End -->
<!-- CloudDesktop-End -->
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

95
windows/client-management/mdm/clouddesktop-ddf-file.md Normal file
View File

@ -0,0 +1,95 @@
---
title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
# CloudDesktop DDF file
The following XML file contains the device description framework (DDF) for the CloudDesktop configuration service provider.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<MSFT:Diagnostics>
</MSFT:Diagnostics>
<Node>
<NodeName>CloudDesktop</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The CloudDesktop configuration service provider is used to configure different Cloud PC related scenarios.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>22631.2050</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>EnableBootToCloudSharedPCMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling boot to cloud shared pc feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Enable boot to cloud shared PC mode</DFTitle>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Not configured</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Boot to cloud shared pc mode enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related articles
[CloudDesktop configuration service provider reference](clouddesktop-csp.md)

65
windows/client-management/mdm/policy-csp-clouddesktop.md
View File

@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 07/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -71,6 +71,69 @@ This policy allows the user to configure the boot to cloud mode. Boot to Cloud m
<!-- BootToCloudMode-End -->
<!-- SetMaxConnectionTimeout-Begin -->
## SetMaxConnectionTimeout
<!-- SetMaxConnectionTimeout-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview [10.0.22631.2050] |
<!-- SetMaxConnectionTimeout-Applicability-End -->
<!-- SetMaxConnectionTimeout-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/CloudDesktop/SetMaxConnectionTimeout
```
<!-- SetMaxConnectionTimeout-OmaUri-End -->
<!-- SetMaxConnectionTimeout-Description-Begin -->
<!-- Description-Source-DDF -->
IT admins can use this policy to set the max connection timeout. The connection timeout decides the max wait time for connecting to Cloud PC after sign in. The default max value is 5 min. For best user experience, it's recommended to continue with the default timeout of 5 min. Update only if it takes more than 5 min to connect to the Cloud PC in your organization.
<!-- SetMaxConnectionTimeout-Description-End -->
<!-- SetMaxConnectionTimeout-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetMaxConnectionTimeout-Editable-End -->
<!-- SetMaxConnectionTimeout-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 5 |
<!-- SetMaxConnectionTimeout-DFProperties-End -->
<!-- SetMaxConnectionTimeout-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 5 (Default) | 5 min. |
| 6 | 6 min. |
| 7 | 7 min. |
| 8 | 8 min. |
| 9 | 9 min. |
| 10 | 10 min. |
| 11 | 11 min. |
| 12 | 12 min. |
| 13 | 13 min. |
| 14 | 14 min. |
| 15 | 15 min. |
| 16 | 16 min. |
| 17 | 17 min. |
| 18 | 18 min. |
| 19 | 19 min. |
| 20 | 20 min. |
<!-- SetMaxConnectionTimeout-AllowedValues-End -->
<!-- SetMaxConnectionTimeout-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetMaxConnectionTimeout-Examples-End -->
<!-- SetMaxConnectionTimeout-End -->
<!-- CloudDesktop-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CloudDesktop-CspMoreInfo-End -->

80
windows/client-management/mdm/policy-csp-cloudpc.md
View File

@ -1,80 +0,0 @@
---
title: CloudPC Policy CSP
description: Learn more about the CloudPC Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 12/27/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- CloudPC-Begin -->
# Policy CSP - CloudPC
<!-- CloudPC-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudPC-Editable-End -->
<!-- CloudPCConfiguration-Begin -->
## CloudPCConfiguration
<!-- CloudPCConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- CloudPCConfiguration-Applicability-End -->
<!-- CloudPCConfiguration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/CloudPC/CloudPCConfiguration
```
<!-- CloudPCConfiguration-OmaUri-End -->
<!-- CloudPCConfiguration-Description-Begin -->
<!-- Description-Source-DDF -->
This policy is used by IT admin to set the configuration mode of cloud PC.
<!-- CloudPCConfiguration-Description-End -->
<!-- CloudPCConfiguration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudPCConfiguration-Editable-End -->
<!-- CloudPCConfiguration-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- CloudPCConfiguration-DFProperties-End -->
<!-- CloudPCConfiguration-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Fast Switching Configuration. |
| 1 | Boot to cloud PC Configuration. |
<!-- CloudPCConfiguration-AllowedValues-End -->
<!-- CloudPCConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- CloudPCConfiguration-Examples-End -->
<!-- CloudPCConfiguration-End -->
<!-- CloudPC-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CloudPC-CspMoreInfo-End -->
<!-- CloudPC-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

7
windows/client-management/mdm/toc.yml
View File

@ -384,8 +384,6 @@ items:
href: policy-csp-cellular.md
- name: CloudDesktop
href: policy-csp-clouddesktop.md
- name: CloudPC
href: policy-csp-cloudpc.md
- name: Connectivity
href: policy-csp-connectivity.md
- name: ControlPolicyConflict
@ -631,6 +629,11 @@ items:
items:
- name: ClientCertificateInstall DDF file
href: clientcertificateinstall-ddf-file.md
- name: CloudDesktop
href: clouddesktop-csp.md
items:
- name: CloudDesktop DDF file
href: clouddesktop-ddf-file.md
- name: CM_CellularEntries
href: cm-cellularentries-csp.md
- name: CMPolicy

4
windows/security/hardware-security/toc.yml
View File

@ -48,7 +48,9 @@ items:
href: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
- name: Secured-core PC 🔗
href: /windows-hardware/design/device-experiences/oem-highly-secure-11
- name: Secured-core PC configuration lock
href: /windows/client-management/config-lock 🔗
- name: Kernel Direct Memory Access (DMA) protection
href: kernel-dma-protection-for-thunderbolt.md
- name: System Guard Secure Launch
href: system-guard-secure-launch-and-smm-protection.md
href: system-guard-secure-launch-and-smm-protection.md

2
windows/security/identity-protection/toc.yml
View File

@ -43,6 +43,8 @@ items:
href: ../threat-protection/security-policy-settings/security-policy-settings.md
- name: Advanced credential protection
items:
- name: Configuring LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- name: Windows Defender Credential Guard
href: credential-guard/toc.yml
- name: Windows Defender Remote Credential Guard

2
windows/security/operating-system-security/toc.yml
View File

@ -7,7 +7,7 @@ items:
href: virus-and-threat-protection/toc.yml
- name: Network security
href: network-security/toc.yml
- name: Data protection
- name: Encryption and data protection
href: data-protection/toc.yml
- name: Device management
href: device-management/toc.yml

2
windows/security/operating-system-security/virus-and-threat-protection/toc.yml
View File

@ -1,8 +1,6 @@
items:
- name: Microsoft Defender Antivirus 🔗
href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
- name: Configuring LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
preserveContext: true
- name: Attack surface reduction (ASR) 🔗
href: /microsoft-365/security/defender-endpoint/attack-surface-reduction