deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-09 11:57:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Release mcc ent (#1)

Browse Source 
* smb adds

* smb adds

* formatting

* private preview and support content

* edit removed and dep

* Fix blocking issues

* Acro-fix

* 24H2 CSP Updates

* Fix link

* fix link in dep page

* edit

* edit index file

* syntax-fix-24h2

* ltsc-edits

* ltsc-edits

* lichris-docs-1

* Acrolinx improvements

* refresh for maxado-8631996

* update link for maxado-8631993

* additional edits, acrolinx

* ltsc-tw

* contentsource-8914508

* contentsource-8914508

* Updates for 1 October release

* Set stale debug to false

* update gp link for 24h2

* additional changes

* Changes to updates, acrolinx changes

* fixes broken links

* Fixed alignment issues

* updates from Rafal

* fixed acrolinx

* so many link fixes

* added release notes and troubleshoot content

* updates

* Update security-compliance-toolkit-10.md

Added Windows 11 24H2

* Update get-support-for-security-baselines.md

Updated for Windows 11 24H2

* bump date

* bump date

* fix pde comment

* fixing broken link

* Fix broken redirections

* fix to rel link

* reset head, fix link

* add cli to deploy, add script to cli

* removing "mcce"

* edits to create page

* Update default and global release policies OS version and dates to latest release values

* emoved e from mcce and other changes

* updated example script

* added important notice to update page

* more update page changes

* clarified how proxy configuration is used

* anonymizing variables in example script

* revise example script

* acrolinx fixes to update page

* changes to other pages and content in overview page

* Update broken link

Update broken link

* Update windows-sandbox-configure-using-wsb-file.md

Update `HostFolder` value description in `MappedFolder`, specifying that the path could be absolute or relative, not only absolute as, instead, is for the `SandboxFolder` value.

* Remove bad link

Removed bad link. There is already a second link referring to content so no need to replace the link.

* docfx update for security book

* Correct TOC entry changing Windows 10 to Windows

* Update whats-new-do.md

- Vpn to VPN
- Minor improvements

* Updated date for freshness reporting

* Add EOS callout

Fix some obvious Acrolinx issues

* Fixed typo added clarity

* Update mcc-ent-deploy-to-windows.md

* Update .openpublishing.redirection.windows-deployment.json

* Update .openpublishing.redirection.windows-deployment.json

* Update policy-csp-localpoliciessecurityoptions.md

* Correct indentation and spacing

* Acrolinx: "Enteprise"

* Update mcc-ent-edu-overview.md

* refresh

* Remove redirection and final bits of store-for-business

store-for-business, AKA /microsoft-store/, is retired, and the content is archived in officearchive-pr. This archival was for ADO task 9268422.

* added support content and other changes

* fixed tabs

* fixed tabs

* Updated device reg policy and group information

* Update delivery-optimization-endpoints.md

Added a line item in MCC table for Outlook *res.cdn.office.net requirement

* freshness review

* Fix broken links

* Minor change

* content for faq

* changes to landing page

* more content to faqs

* pencil edit

* add copilot exps link

* edits and ren cli file temporarily

* ren file back and edit toc to lowercase

* edit

* edit

* edit

* Update windows-autopatch-configure-network.md

Adding a new network endpoint required for the service 'device.autopatch.microsoft.com' @tiaraquan

* Clarify some points and remove data that is confusing to customers.

* fix syntax

* Sentence correction

* Update windows/deployment/do/waas-delivery-optimization-faq.yml

Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com>

* Update windows/deployment/do/waas-delivery-optimization-faq.yml

Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com>

* moved shortcuts under policy settings article

---------

Co-authored-by: Alma Jenks <v-alje@microsoft.com>
Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Co-authored-by: Stacyrch140 <102548089+Stacyrch140@users.noreply.github.com>
Co-authored-by: Nidhi Doshi <77081571+doshnid@users.noreply.github.com>
Co-authored-by: Gary Moore <5432776+garycentric@users.noreply.github.com>
Co-authored-by: Vinay Pamnani (from Dev Box) <vinpa@microsoft.com>
Co-authored-by: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Co-authored-by: Aaron Czechowski <aczechowski@users.noreply.github.com>
Co-authored-by: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com>
Co-authored-by: Daniel H. Brown <32883970+DHB-MSFT@users.noreply.github.com>
Co-authored-by: David Strome <21028455+dstrome@users.noreply.github.com>
Co-authored-by: Padma Jayaraman <v-padmaj@microsoft.com>
Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Co-authored-by: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com>
Co-authored-by: Rick Munck <33725928+jmunck@users.noreply.github.com>
Co-authored-by: Tanaka <Huios@users.noreply.github.com>
Co-authored-by: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Co-authored-by: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Co-authored-by: Davide Piccinini <davide.piccinini.95@gmail.com>
Co-authored-by: Phil Garcia <phil@thinkedge.com>
Co-authored-by: Learn Build Service GitHub App <Learn Build Service LearnBuild@microsoft.com>
Co-authored-by: tiaraquan <tiaraquan@microsoft.com>
Co-authored-by: Caitlin Hart <caithart@microsoft.com>
Co-authored-by: Harman Thind <63820404+hathin@users.noreply.github.com>
Co-authored-by: [cmknox] <[cmknox@gmail.com]>
Co-authored-by: Carmen Forsmann <cmforsmann@live.com>
This commit is contained in:
Chris J. Lin 2024-10-17 11:34:07 -07:00 committed by GitHub
parent 3efe506fe0
commit ef1c69b439
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
396 changed files with 12665 additions and 7303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/Stale.yml vendored
View File

@ -13,7 +13,7 @@ jobs:
stale:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-Stale.yml@workflows-prod
with:
RunDebug: true
RunDebug: false
RepoVisibility: ${{ github.repository_visibility }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}

1
.openpublishing.publish.config.json
View File

@ -251,7 +251,6 @@
".openpublishing.redirection.browsers.json",
".openpublishing.redirection.education.json",
".openpublishing.redirection.json",
".openpublishing.redirection.store-for-business.json",
".openpublishing.redirection.windows-application-management.json",
".openpublishing.redirection.windows-client-management.json",
".openpublishing.redirection.windows-configuration.json",

299
.openpublishing.redirection.store-for-business.json
View File

@ -1,299 +0,0 @@
{
"redirections": [
{
"source_path": "store-for-business/acquire-apps-windows-store-for-business.md",
"redirect_url": "/microsoft-store/acquire-apps-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/add-unsigned-app-to-code-integrity-policy.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control",
"redirect_document_id": false
},
{
"source_path": "store-for-business/app-inventory-managemement-windows-store-for-business.md",
"redirect_url": "/microsoft-store/app-inventory-management-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/app-inventory-management-windows-store-for-business.md",
"redirect_url": "/microsoft-store/app-inventory-management-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/apps-in-windows-store-for-business.md",
"redirect_url": "/microsoft-store/apps-in-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/configure-mdm-provider-windows-store-for-business.md",
"redirect_url": "/microsoft-store/configure-mdm-provider-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/device-guard-signing-portal.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md",
"redirect_url": "/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-apps-windows-store-for-business-overview.md",
"redirect_url": "/microsoft-store/manage-apps-microsoft-store-for-business-overview",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-mpsa-software-microsoft-store-for-business.md",
"redirect_url": "/microsoft-store/index",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-orders-windows-store-for-business.md",
"redirect_url": "/microsoft-store/manage-orders-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-settings-windows-store-for-business.md",
"redirect_url": "/microsoft-store/manage-settings-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-users-and-groups-windows-store-for-business.md",
"redirect_url": "/microsoft-store/manage-users-and-groups-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/prerequisites-windows-store-for-business.md",
"redirect_url": "/microsoft-store/prerequisites-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/roles-and-permissions-windows-store-for-business.md",
"redirect_url": "/microsoft-store/roles-and-permissions-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/settings-reference-windows-store-for-business.md",
"redirect_url": "/microsoft-store/settings-reference-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-code-integrity-policy-with-device-guard-signing.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-up-microsoft-store-for-business.md",
"redirect_url": "/microsoft-store",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-up-windows-store-for-business-overview.md",
"redirect_url": "/microsoft-store/sign-up-microsoft-store-for-business-overview",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-up-windows-store-for-business.md",
"redirect_url": "/microsoft-store/index",
"redirect_document_id": false
},
{
"source_path": "store-for-business/troubleshoot-windows-store-for-business.md",
"redirect_url": "/microsoft-store/troubleshoot-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/update-windows-store-for-business-account-settings.md",
"redirect_url": "/microsoft-store/update-microsoft-store-for-business-account-settings",
"redirect_document_id": false
},
{
"source_path": "store-for-business/windows-store-for-business-overview.md",
"redirect_url": "/microsoft-store/microsoft-store-for-business-overview",
"redirect_document_id": false
},
{
"source_path": "store-for-business/work-with-partner-microsoft-store-business.md",
"redirect_url": "/microsoft-365/commerce/manage-partners",
"redirect_document_id": false
},
{
"source_path": "store-for-business/acquire-apps-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/add-profile-to-devices.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/app-inventory-management-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/apps-in-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/assign-apps-to-employees.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/billing-payments-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/billing-profile.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/billing-understand-your-invoice-msfb.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/configure-mdm-provider-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-apps-from-your-private-store.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-apps-with-management-tool.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-offline-apps.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/find-and-acquire-apps-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/index.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-access-to-private-store.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-apps-microsoft-store-for-business-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-orders-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-private-store-settings.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-settings-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-users-and-groups-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/microsoft-store-for-business-education-powershell-module.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/microsoft-store-for-business-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/notifications-microsoft-store-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/payment-methods.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/prerequisites-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/release-history-microsoft-store-business-education.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/roles-and-permissions-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/settings-reference-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sfb-change-history.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-up-microsoft-store-for-business-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/troubleshoot-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/update-microsoft-store-for-business-account-settings.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/whats-new-microsoft-store-business-education.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/working-with-line-of-business-apps.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
}
]
}

15
.openpublishing.redirection.windows-deployment.json
View File

@ -125,6 +125,21 @@
"redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/do/mcc-ent-configure-provision-linux.md",
"redirect_url": "/windows/deployment/do/mcc-ent-deploy-to-linux",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/do/mcc-ent-configure-provision-windows.md",
"redirect_url": "/windows/deployment/do/mcc-ent-deploy-to-windows",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/do/mcc-ent-update-cache.md",
"redirect_url": "/windows/deployment/do/mcc-ent-uninstall-cache-node",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/act-technical-reference.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/compatibility-administrator-users-guide",

4633
.openpublishing.redirection.windows-security.json
View File

File diff suppressed because it is too large Load Diff

12
education/windows/index.yml
View File

@ -12,22 +12,16 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.date: 07/22/2024
ms.date: 10/10/2024
highlightedContent:
items:
- title: Get started with Windows 11 SE
itemType: get-started
url: windows-11-se-overview.md
- title: Windows 11, version 23H2
- title: Windows 11, version 24H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-23h2
url: /windows/whats-new/whats-new-windows-11-version-24h2
- title: Explore all Windows trainings and learning paths for IT pros
itemType: learn
url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
- title: Deploy applications to Windows 11 SE with Intune
itemType: how-to-guide
url: /education/windows/tutorial-deploy-apps-winse
productDirectory:
title: Get started

6
education/windows/windows-11-se-faq.yml
View File

@ -1,9 +1,9 @@
### YamlMime:FAQ
metadata:
title: Windows 11 SE Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.
description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.
ms.topic: faq
ms.date: 01/16/2024
ms.date: 10/10/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
@ -30,7 +30,7 @@ sections:
- Express yourself and celebrate accomplishments with the *emoji and GIF panel* and *Stickers*
- name: Deployment
questions:
- question: Can I load Windows 11 SE on any hardware?
- question: Can I load Windows 11 SE on any hardware?
answer: |
Windows 11 SE is only available on devices that are built for education. To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview).
- question: Can I PXE boot a Windows SE device?

6
education/windows/windows-11-se-overview.md
View File

@ -2,7 +2,7 @@
title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: overview
ms.date: 01/09/2024
ms.date: 10/10/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
@ -96,9 +96,9 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` |
| `Class Policy` | 116.0.0 | `Win32` | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` |
| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` |
| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` |
| `CoGat Secure Browser` | 11.0.0.19 | `Win32` | `Riverside Insights` |
| `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` |
| `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` |
| `DigiExam` | 14.1.0 | `Win32` | `Digiexam` |
| `Digital Secure testing browser` | 15.0.0 | `Win32` | `Digiexam` |

2
education/windows/windows-11-se-settings-list.md
View File

@ -2,7 +2,7 @@
title: Windows 11 SE settings list
description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
ms.topic: reference
ms.date: 05/06/2024
ms.date: 10/10/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:

6
includes/licensing/windows-defender-application-control-wdac.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/18/2023
ms.date: 09/23/2024
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows Defender Application Control (WDAC):
The following table lists the Windows editions that support App Control for Business:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Windows Defender Application Control (WDAC) license entitlements are granted by the following licenses:
App Control license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

7
store-for-business/breadcrumb/toc.yml
View File

@ -1,7 +0,0 @@
- name: Docs
tocHref: /
topicHref: /
items:
- name: Microsoft Store for Business
tocHref: /microsoft-store
topicHref: /microsoft-store/index

81
store-for-business/docfx.json
View File

@ -1,81 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/**.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Archive",
"is_archived": true,
"is_retired": true,
"ROBOTS": "NOINDEX,NOFOLLOW",
"ms.author": "trudyha",
"audience": "ITPro",
"ms.service": "store-for-business",
"ms.topic": "article",
"ms.date": "05/09/2017",
"searchScope": [
"Store"
],
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.store-for-business",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"dstrome2",
"rjagiewich",
"American-Dipper",
"claydetels19",
"jborsecnik",
"v-stchambers",
"shdyas",
"Stacyrch140",
"garycentric",
"dstrome",
"alekyaj",
"aditisrivastava07",
"padmagit77"
]
},
"fileMetadata": {},
"template": [],
"dest": "store-for-business",
"markdownEngineName": "markdig"
}
}

2
windows/application-management/index.yml
View File

@ -9,7 +9,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 06/28/2024
ms.date: 09/27/2024
ms.topic: landing-page
ms.service: windows-client
ms.subservice: itpro-apps

22
windows/application-management/per-user-services-in-windows.md
View File

@ -4,7 +4,7 @@ description: Learn about per-user services, how to change the template service s
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 12/22/2023
ms.date: 10/01/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps
@ -99,7 +99,7 @@ $services = Get-Service
foreach ( $service in $services ) {
# For each specific service, check if the service type property includes the 64 bit using the bitwise AND operator (-band).
# If the result equals the flag value, then the service is a per-user service.
if ( ( $service.ServiceType -band $flag ) -eq $flag ) {
if ( ( $service.ServiceType -band $flag ) -eq $flag ) {
# When a per-user service is found, then add that service object to the results array.
$serviceList += $service
}
@ -229,14 +229,14 @@ If you can't use group policy preferences to manage the per-user services, you c
1. The following example includes multiple commands that disable the specified Windows services by changing their **Start** value in the Windows Registry to `4`:
```cmd
REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
```
```cmd
REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
```
#### Example 2: Use the Registry Editor user interface to edit the registry
@ -248,7 +248,7 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
1. Change the **Value data** to `4`.
:::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
:::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
#### Example 3: Prevent the creation of per-user services

2
windows/application-management/sideload-apps-in-windows.md
View File

@ -4,7 +4,7 @@ description: Learn how to sideload line-of-business (LOB) apps in Windows client
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 12/22/2023
ms.date: 09/27/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps

2
windows/client-management/manage-windows-copilot.md
View File

@ -16,7 +16,7 @@ appliesto:
# Updated Windows and Microsoft Copilot experience
<!--8445848, 9294806-->
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0).
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft Copilot experiences?** See [Understanding the different Microsoft Copilot experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842).
## Enhanced data protection with enterprise data protection

8
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -11,9 +11,9 @@ ms.date: 01/31/2024
<!-- ApplicationControl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
App Control for Business policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/application-security/application-control/app-control-for-business/design/deploy-multiple-appcontrol-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
Existing App Control for Business policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although App Control policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
<!-- ApplicationControl-Editable-End -->
<!-- ApplicationControl-Tree-Begin -->
@ -861,7 +861,7 @@ The following table provides the result of this policy based on different values
## Microsoft Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy App Control for Business policies by using Microsoft Intune](/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune).
## Generic MDM Server Usage Guidance
@ -1014,7 +1014,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Co
### Setup for using the WMI Bridge
1. Convert your WDAC policy to Base64.
1. Convert your App Control policy to Base64.
2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface:

6
windows/client-management/mdm/clouddesktop-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>2.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -139,7 +139,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621.3374</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>

4
windows/client-management/mdm/configuration-service-provider-ddf.md
View File

@ -13,7 +13,7 @@ This article lists the OMA DM device description framework (DDF) files for vario
As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
- [DDF v2 Files, May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip)
- [DDF v2 Files, September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip)
## DDF v2 schema
@ -574,7 +574,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo
## Older DDF files
You can download the older DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10 and 11 May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip)
- [Download all the DDF files for Windows 10 and 11 September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip)
- [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)

6
windows/client-management/mdm/defender-csp.md
View File

@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
ms.date: 06/21/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1289,7 +1289,7 @@ Define data duplication remote location for Device Control. When configuring thi
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-Begin -->
<!-- Description-Source-DDF -->
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-Begin -->
@ -1304,7 +1304,7 @@ Configure how many days can pass before an aggressive quick scan is triggered. T
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[7-60]` |
| Default Value | 25 |
| Default Value | 30 |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-Begin -->

6
windows/client-management/mdm/defender-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2373,8 +2373,8 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.</Description>
<DefaultValue>30</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.</Description>
<DFFormat>
<int />
</DFFormat>

4
windows/client-management/mdm/firewall-csp.md
View File

@ -1,7 +1,7 @@
---
title: Firewall CSP
description: Learn more about the Firewall CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2221,7 +2221,7 @@ Specifies the friendly name of the firewall rule.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
Specifies one App Control tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Editable-Begin -->

10
windows/client-management/mdm/index.yml
View File

@ -9,7 +9,7 @@ metadata:
ms.topic: landing-page
ms.collection:
- tier1
ms.date: 10/25/2023
ms.date: 10/07/2024
ms.localizationpriority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -27,8 +27,8 @@ landingContent:
url: configuration-service-provider-support.md
- text: Device description framework (DDF) files
url: configuration-service-provider-ddf.md
- text: BitLocker CSP
url: bitlocker-csp.md
- text: Contribute to CSP reference
url: contribute-csp-reference.md
- text: Declared Configuration protocol
url: ../declared-configuration.md
@ -42,8 +42,8 @@ landingContent:
url: policy-configuration-service-provider.md
- text: Policy DDF file
url: configuration-service-provider-ddf.md
- text: Policy CSP - Start
url: policy-csp-start.md
- text: Policy CSP - Defender
url: policy-csp-defender.md
- text: Policy CSP - Update
url: policy-csp-update.md

16
windows/client-management/mdm/laps-csp.md
View File

@ -1,7 +1,7 @@
---
title: LAPS CSP
description: Learn more about the LAPS CSP.
ms.date: 06/21/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 06/21/2024
<!-- LAPS-Begin -->
# LAPS CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- LAPS-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
@ -432,7 +430,7 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-Begin -->
@ -488,7 +486,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-Begin -->
@ -543,7 +541,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-Begin -->
@ -587,7 +585,7 @@ If not specified, this setting will default to "WLapsAdmin".
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-Begin -->
@ -643,7 +641,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-Begin -->
@ -759,7 +757,7 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-PassphraseLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-PassphraseLength-Applicability-End -->
<!-- Device-Policies-PassphraseLength-OmaUri-Begin -->

14
windows/client-management/mdm/laps-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -327,7 +327,7 @@ This setting has a maximum allowed value of 10 words.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
@ -690,7 +690,7 @@ If not specified, this setting defaults to False.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -736,7 +736,7 @@ If not specified, this setting will default to 1.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -791,7 +791,7 @@ If not specified, this setting will default to "WLapsAdmin".</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:DependencyBehavior>
@ -839,7 +839,7 @@ If not specified, this setting defaults to False.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -897,7 +897,7 @@ If not specified, this setting defaults to False.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">

6
windows/client-management/mdm/office-csp.md
View File

@ -1,7 +1,7 @@
---
title: Office CSP
description: Learn more about the Office CSP.
ms.date: 01/18/2024
ms.date: 10/10/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,7 +11,7 @@ ms.date: 01/18/2024
<!-- Office-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [Add Microsoft 365 Apps to Windows devices with Microsoft Intune](/mem/intune/apps/apps-add-office365).
<!-- Office-Editable-End -->
<!-- Office-Tree-Begin -->
@ -587,7 +587,7 @@ To get the current status of Office 365 on the device.
| 17001 | ERROR_QUEUE_SCENARIO <br/>Failed to queue installation scenario in C2RClient | Failure |
| 17002 | ERROR_COMPLETING_SCENARIO <br>Failed to complete the process. Possible reasons:<li>Installation canceled by user<li>Installation canceled by another installation<li>Out of disk space during installation <li>Unknown language ID | Failure |
| 17003 | ERROR_ANOTHER_RUNNING_SCENARIO <br>Another scenario is running | Failure |
| 17004 | ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP<br>Possible reasons:<li>Unknown SKUs<li>Content does't exist on CDN<ul><li>Such as trying to install an unsupported LAP, like zh-sg<li>CDN issue that content is not available</li></ul><li>Signature check issue, such as failed the signature check for Office content<li>User canceled | Failure |
| 17004 | ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP<br>Possible reasons:<li>Unknown SKUs<li>Content doesn't exist on CDN<ul><li>Such as trying to install an unsupported LAP, like zh-sg<li>CDN issue that content is not available</li></ul><li>Signature check issue, such as failed the signature check for Office content<li>User canceled | Failure |
| 17005 | ERROR_SCENARIO_CANCELLED_AS_PLANNED | Failure |
| 17006 | ERROR_SCENARIO_CANCELLED<br>Blocked update by running apps | Failure |
| 17007 | ERROR_REMOVE_INSTALLATION_NEEDED<br>The client is requesting client clean-up in a "Remove Installation" scenario | Failure |

4
windows/client-management/mdm/personalization-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Personalization DDF file
description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the P
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>

1
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -137,7 +137,6 @@ ms.date: 02/03/2023
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates) <sup>11</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates) <sup>11</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod) <sup>11</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot) <sup>11</sup>
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds)

169
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -17,6 +17,7 @@ This article lists the policies that are applicable for Windows Insider Preview
- [TurnOffInstallTracing](policy-csp-appdeviceinventory.md#turnoffinstalltracing)
- [TurnOffAPISamping](policy-csp-appdeviceinventory.md#turnoffapisamping)
- [TurnOffApplicationFootprint](policy-csp-appdeviceinventory.md#turnoffapplicationfootprint)
- [TurnOffWin32AppBackup](policy-csp-appdeviceinventory.md#turnoffwin32appbackup)
## ClientCertificateInstall CSP
@ -28,15 +29,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [EnablePhysicalDeviceAccessOnErrorScreens](clouddesktop-csp.md#userenablephysicaldeviceaccessonerrorscreens)
- [EnableBootToCloudSharedPCMode](clouddesktop-csp.md#deviceenableboottocloudsharedpcmode)
## Cryptography
- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md#configureellipticcurvecryptography)
- [ConfigureSystemCryptographyForceStrongKeyProtection](policy-csp-cryptography.md#configuresystemcryptographyforcestrongkeyprotection)
- [OverrideMinimumEnabledTLSVersionClient](policy-csp-cryptography.md#overrideminimumenabledtlsversionclient)
- [OverrideMinimumEnabledTLSVersionServer](policy-csp-cryptography.md#overrideminimumenabledtlsversionserver)
- [OverrideMinimumEnabledDTLSVersionClient](policy-csp-cryptography.md#overrideminimumenableddtlsversionclient)
- [OverrideMinimumEnabledDTLSVersionServer](policy-csp-cryptography.md#overrideminimumenableddtlsversionserver)
## DeclaredConfiguration CSP
- [Document](declaredconfiguration-csp.md#hostcompletedocumentsdociddocument)
@ -47,23 +39,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
## DesktopAppInstaller
- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md#enablewindowspackagemanagercommandlineinterfaces)
- [EnableWindowsPackageManagerConfiguration](policy-csp-desktopappinstaller.md#enablewindowspackagemanagerconfiguration)
## DeviceLock
- [MaximumPasswordAge](policy-csp-devicelock.md#maximumpasswordage)
- [ClearTextPassword](policy-csp-devicelock.md#cleartextpassword)
- [PasswordComplexity](policy-csp-devicelock.md#passwordcomplexity)
- [PasswordHistorySize](policy-csp-devicelock.md#passwordhistorysize)
- [AccountLockoutPolicy](policy-csp-devicelock.md#accountlockoutpolicy)
- [AllowAdministratorLockout](policy-csp-devicelock.md#allowadministratorlockout)
- [MinimumPasswordLength](policy-csp-devicelock.md#minimumpasswordlength)
- [MinimumPasswordLengthAudit](policy-csp-devicelock.md#minimumpasswordlengthaudit)
- [RelaxMinimumPasswordLengthLimits](policy-csp-devicelock.md#relaxminimumpasswordlengthlimits)
## DevicePreparation CSP
- [PageEnabled](devicepreparation-csp.md#pageenabled)
@ -84,12 +59,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [Cadence](dmclient-csp.md#deviceproviderprovideridconfigrefreshcadence)
- [PausePeriod](dmclient-csp.md#deviceproviderprovideridconfigrefreshpauseperiod)
## Experience
- [AllowScreenRecorder](policy-csp-experience.md#allowscreenrecorder)
- [EnableOrganizationalMessages](policy-csp-experience.md#enableorganizationalmessages)
- [DisableTextTranslation](policy-csp-experience.md#disabletexttranslation)
## FileSystem
- [EnableDevDrive](policy-csp-filesystem.md#enabledevdrive)
@ -99,13 +68,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)
## HumanPresence
- [ForceDisableWakeWhenBatterySaverOn](policy-csp-humanpresence.md#forcedisablewakewhenbatterysaveron)
- [ForceAllowWakeWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowwakewhenexternaldisplayconnected)
- [ForceAllowLockWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowlockwhenexternaldisplayconnected)
- [ForceAllowDimWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowdimwhenexternaldisplayconnected)
## InternetExplorer
- [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@ -121,49 +83,8 @@ This article lists the policies that are applicable for Windows Insider Preview
- [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation)
- [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages)
## LAPS CSP
- [PassphraseLength](laps-csp.md#policiespassphraselength)
- [AutomaticAccountManagementEnabled](laps-csp.md#policiesautomaticaccountmanagementenabled)
- [AutomaticAccountManagementTarget](laps-csp.md#policiesautomaticaccountmanagementtarget)
- [AutomaticAccountManagementNameOrPrefix](laps-csp.md#policiesautomaticaccountmanagementnameorprefix)
- [AutomaticAccountManagementEnableAccount](laps-csp.md#policiesautomaticaccountmanagementenableaccount)
- [AutomaticAccountManagementRandomizeName](laps-csp.md#policiesautomaticaccountmanagementrandomizename)
## LocalPoliciesSecurityOptions
- [Audit_AuditTheUseOfBackupAndRestoreprivilege](policy-csp-localpoliciessecurityoptions.md#audit_audittheuseofbackupandrestoreprivilege)
- [Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings](policy-csp-localpoliciessecurityoptions.md#audit_forceauditpolicysubcategorysettingstooverrideauditpolicycategorysettings)
- [Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits](policy-csp-localpoliciessecurityoptions.md#audit_shutdownsystemimmediatelyifunabletologsecurityaudits)
- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md#devices_restrictfloppyaccesstolocallyloggedonuseronly)
- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptorsignsecurechanneldataalways)
- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptsecurechanneldatawhenpossible)
- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallysignsecurechanneldatawhenpossible)
- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md#domainmember_disablemachineaccountpasswordchanges)
- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md#domainmember_maximummachineaccountpasswordage)
- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md#domainmember_requirestrongsessionkey)
- [InteractiveLogon_MachineAccountLockoutThreshold](policy-csp-localpoliciessecurityoptions.md#interactivelogon_machineaccountlockoutthreshold)
- [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache)
- [InteractiveLogon_PromptUserToChangePasswordBeforeExpiration](policy-csp-localpoliciessecurityoptions.md#interactivelogon_promptusertochangepasswordbeforeexpiration)
- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_amountofidletimerequiredbeforesuspendingsession)
- [MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_disconnectclientswhenlogonhoursexpire)
- [MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_serverspntargetnamevalidationlevel)
- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md#networkaccess_allowanonymoussidornametranslation)
- [NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication](policy-csp-localpoliciessecurityoptions.md#networkaccess_donotallowstorageofpasswordsandcredentialsfornetworkauthentication)
- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md#networkaccess_leteveryonepermissionsapplytoanonymoususers)
- [NetworkAccess_NamedPipesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_namedpipesthatcanbeaccessedanonymously)
- [NetworkAccess_RemotelyAccessibleRegistryPaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypaths)
- [NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypathsandsubpaths)
- [NetworkAccess_SharesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharesthatcanbeaccessedanonymously)
- [NetworkAccess_SharingAndSecurityModelForLocalAccounts](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharingandsecuritymodelforlocalaccounts)
- [NetworkSecurity_AllowLocalSystemNULLSessionFallback](policy-csp-localpoliciessecurityoptions.md#networksecurity_allowlocalsystemnullsessionfallback)
- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#networksecurity_forcelogoffwhenlogonhoursexpire)
- [NetworkSecurity_LDAPClientSigningRequirements](policy-csp-localpoliciessecurityoptions.md#networksecurity_ldapclientsigningrequirements)
- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowautomaticadministrativelogon)
- [RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowfloppycopyandaccesstoalldrivesandallfolders)
- [SystemCryptography_ForceStrongKeyProtection](policy-csp-localpoliciessecurityoptions.md#systemcryptography_forcestrongkeyprotection)
- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md#systemobjects_requirecaseinsensitivityfornonwindowssubsystems)
- [SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects](policy-csp-localpoliciessecurityoptions.md#systemobjects_strengthendefaultpermissionsofinternalsystemobjects)
- [UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_behavioroftheelevationpromptforadministratorprotection)
- [UserAccountControl_TypeOfAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_typeofadminapprovalmode)
@ -174,23 +95,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
- [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
## MSSecurityGuide
- [NetBTNodeTypeConfiguration](policy-csp-mssecurityguide.md#netbtnodetypeconfiguration)
## NetworkListManager
- [AllNetworks_NetworkIcon](policy-csp-networklistmanager.md#allnetworks_networkicon)
- [AllNetworks_NetworkLocation](policy-csp-networklistmanager.md#allnetworks_networklocation)
- [AllNetworks_NetworkName](policy-csp-networklistmanager.md#allnetworks_networkname)
- [IdentifyingNetworks_LocationType](policy-csp-networklistmanager.md#identifyingnetworks_locationtype)
- [UnidentifiedNetworks_LocationType](policy-csp-networklistmanager.md#unidentifiednetworks_locationtype)
- [UnidentifiedNetworks_UserPermissions](policy-csp-networklistmanager.md#unidentifiednetworks_userpermissions)
## Notifications
- [DisableAccountNotifications](policy-csp-notifications.md#disableaccountnotifications)
## PassportForWork CSP
- [EnableWindowsHelloProvisioningForSecurityKeys](passportforwork-csp.md#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@ -202,77 +106,15 @@ This article lists the policies that are applicable for Windows Insider Preview
## RemoteDesktopServices
- [LimitServerToClientClipboardRedirection](policy-csp-remotedesktopservices.md#limitservertoclientclipboardredirection)
- [LimitClientToServerClipboardRedirection](policy-csp-remotedesktopservices.md#limitclienttoserverclipboardredirection)
- [DisconnectOnLockLegacyAuthn](policy-csp-remotedesktopservices.md#disconnectonlocklegacyauthn)
- [DisconnectOnLockMicrosoftIdentityAuthn](policy-csp-remotedesktopservices.md#disconnectonlockmicrosoftidentityauthn)
- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
## Search
- [ConfigureSearchOnTaskbarMode](policy-csp-search.md#configuresearchontaskbarmode)
## SettingsSync
- [DisableAccessibilitySettingSync](policy-csp-settingssync.md#disableaccessibilitysettingsync)
- [DisableLanguageSettingSync](policy-csp-settingssync.md#disablelanguagesettingsync)
## Sudo
- [EnableSudo](policy-csp-sudo.md#enablesudo)
## SurfaceHub CSP
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
## System
- [HideUnsupportedHardwareNotifications](policy-csp-system.md#hideunsupportedhardwarenotifications)
## SystemServices
- [ConfigureComputerBrowserServiceStartupMode](policy-csp-systemservices.md#configurecomputerbrowserservicestartupmode)
- [ConfigureIISAdminServiceStartupMode](policy-csp-systemservices.md#configureiisadminservicestartupmode)
- [ConfigureInfraredMonitorServiceStartupMode](policy-csp-systemservices.md#configureinfraredmonitorservicestartupmode)
- [ConfigureInternetConnectionSharingServiceStartupMode](policy-csp-systemservices.md#configureinternetconnectionsharingservicestartupmode)
- [ConfigureLxssManagerServiceStartupMode](policy-csp-systemservices.md#configurelxssmanagerservicestartupmode)
- [ConfigureMicrosoftFTPServiceStartupMode](policy-csp-systemservices.md#configuremicrosoftftpservicestartupmode)
- [ConfigureRemoteProcedureCallLocatorServiceStartupMode](policy-csp-systemservices.md#configureremoteprocedurecalllocatorservicestartupmode)
- [ConfigureRoutingAndRemoteAccessServiceStartupMode](policy-csp-systemservices.md#configureroutingandremoteaccessservicestartupmode)
- [ConfigureSimpleTCPIPServicesStartupMode](policy-csp-systemservices.md#configuresimpletcpipservicesstartupmode)
- [ConfigureSpecialAdministrationConsoleHelperServiceStartupMode](policy-csp-systemservices.md#configurespecialadministrationconsolehelperservicestartupmode)
- [ConfigureSSDPDiscoveryServiceStartupMode](policy-csp-systemservices.md#configuressdpdiscoveryservicestartupmode)
- [ConfigureUPnPDeviceHostServiceStartupMode](policy-csp-systemservices.md#configureupnpdevicehostservicestartupmode)
- [ConfigureWebManagementServiceStartupMode](policy-csp-systemservices.md#configurewebmanagementservicestartupmode)
- [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode](policy-csp-systemservices.md#configurewindowsmediaplayernetworksharingservicestartupmode)
- [ConfigureWindowsMobileHotspotServiceStartupMode](policy-csp-systemservices.md#configurewindowsmobilehotspotservicestartupmode)
- [ConfigureWorldWideWebPublishingServiceStartupMode](policy-csp-systemservices.md#configureworldwidewebpublishingservicestartupmode)
## Update
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md#configuredeadlinenoautorebootforqualityupdates)
- [AlwaysAutoRebootAtScheduledTimeMinutes](policy-csp-update.md#alwaysautorebootatscheduledtimeminutes)
## UserRights
- [BypassTraverseChecking](policy-csp-userrights.md#bypasstraversechecking)
- [ReplaceProcessLevelToken](policy-csp-userrights.md#replaceprocessleveltoken)
- [ChangeTimeZone](policy-csp-userrights.md#changetimezone)
- [ShutDownTheSystem](policy-csp-userrights.md#shutdownthesystem)
- [LogOnAsBatchJob](policy-csp-userrights.md#logonasbatchjob)
- [ProfileSystemPerformance](policy-csp-userrights.md#profilesystemperformance)
- [DenyLogOnAsBatchJob](policy-csp-userrights.md#denylogonasbatchjob)
- [LogOnAsService](policy-csp-userrights.md#logonasservice)
- [IncreaseProcessWorkingSet](policy-csp-userrights.md#increaseprocessworkingset)
- [DenyLogOnAsService](policy-csp-userrights.md#denylogonasservice)
- [AdjustMemoryQuotasForProcess](policy-csp-userrights.md#adjustmemoryquotasforprocess)
- [AllowLogOnThroughRemoteDesktop](policy-csp-userrights.md#allowlogonthroughremotedesktop)
## WebThreatDefense
- [AutomaticDataCollection](policy-csp-webthreatdefense.md#automaticdatacollection)
## Wifi
@ -281,7 +123,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI
- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
@ -294,11 +136,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DisableSubscription](windowslicensing-csp.md#subscriptionsdisablesubscription)
- [RemoveSubscription](windowslicensing-csp.md#subscriptionsremovesubscription)
## WindowsSandbox
- [AllowMappedFolders](policy-csp-windowssandbox.md#allowmappedfolders)
- [AllowWriteToMappedFolders](policy-csp-windowssandbox.md#allowwritetomappedfolders)
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1,7 +1,7 @@
---
title: Policy CSP
description: Learn more about the Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1152,6 +1152,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [Settings](policy-csp-settings.md)
- [SettingsSync](policy-csp-settingssync.md)
- [SmartScreen](policy-csp-smartscreen.md)
- [SpeakForMe](policy-csp-speakforme.md)
- [Speech](policy-csp-speech.md)
- [Start](policy-csp-start.md)
- [Stickers](policy-csp-stickers.md)

8
windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_AppxPackageManager Policy CSP
description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 08/06/2024
<!-- AllowDeploymentInSpecialProfiles-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
This policy setting allows you to manage the deployment of packaged Microsoft Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies.
@ -42,9 +42,9 @@ Temporary user profiles, which are created when an error prevents the correct pr
User profiles for the Guest account and members of the Guests group.
- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile.
- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of packaged Microsoft Store apps when using a special profile.
- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of packaged Microsoft Store apps when using a special profile.
<!-- AllowDeploymentInSpecialProfiles-Description-End -->
<!-- AllowDeploymentInSpecialProfiles-Editable-Begin -->

24
windows/client-management/mdm/policy-csp-admx-appxruntime.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_AppXRuntime Policy CSP
description: Learn more about the ADMX_AppXRuntime Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,11 +32,11 @@ ms.date: 08/06/2024
<!-- AppxRuntimeApplicationContentUriRules-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer.
- If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
- If you enable this policy setting, you can define additional Content URI Rules that all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer can use.
- If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
- If you disable or don't set this policy setting, packaged Microsoft Store apps will only use the static Content URI Rules.
<!-- AppxRuntimeApplicationContentUriRules-Description-End -->
<!-- AppxRuntimeApplicationContentUriRules-Editable-Begin -->
@ -60,7 +60,7 @@ This policy setting lets you turn on Content URI Rules to supplement the static
| Name | Value |
|:--|:--|
| Name | AppxRuntimeApplicationContentUriRules |
| Friendly Name | Turn on dynamic Content URI Rules for Windows store apps |
| Friendly Name | Turn on dynamic Content URI Rules for packaged Microsoft Store apps |
| Location | Computer Configuration |
| Path | Windows Components > App runtime |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications |
@ -95,11 +95,11 @@ This policy setting lets you turn on Content URI Rules to supplement the static
<!-- AppxRuntimeBlockFileElevation-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
This policy setting lets you control whether packaged Microsoft Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a packaged Microsoft Store app might compromise the system by opening a file in the default desktop app for a file type.
- If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
- If you enable this policy setting, packaged Microsoft Store apps can't open files in the default desktop app for a file type; they can open files only in other packaged Microsoft Store apps.
- If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open files in the default desktop app for a file type.
<!-- AppxRuntimeBlockFileElevation-Description-End -->
<!-- AppxRuntimeBlockFileElevation-Editable-Begin -->
@ -219,14 +219,14 @@ This policy shouldn't be enabled unless recommended by Microsoft as a security r
<!-- AppxRuntimeBlockProtocolElevation-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
This policy setting lets you control whether packaged Microsoft Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a URI scheme launched by a packaged Microsoft Store app might compromise the system by launching a desktop app.
- If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
- If you enable this policy setting, packaged Microsoft Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other packaged Microsoft Store apps.
- If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.
- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open URIs in the default desktop app for a URI scheme.
> [!NOTE]
> Enabling this policy setting doesn't block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
> Enabling this policy setting doesn't block packaged Microsoft Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
<!-- AppxRuntimeBlockProtocolElevation-Description-End -->
<!-- AppxRuntimeBlockProtocolElevation-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_ControlPanelDisplay Policy CSP
description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1351,7 +1351,7 @@ Specifies which theme file is applied to the computer the first time a user logs
|:--|:--|
| Name | CPL_Personalization_SetTheme |
| Friendly Name | Load a specific theme |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Control Panel > Personalization |
| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization |
| ADMX File Name | ControlPanelDisplay.admx |

8
windows/client-management/mdm/policy-csp-admx-deviceguard.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DeviceGuard Policy CSP
description: Learn more about the ADMX_DeviceGuard Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -14,7 +14,7 @@ ms.date: 08/06/2024
<!-- ADMX_DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!WARNING]
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
> Group Policy-based deployment of App Control for Business policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
<!-- ADMX_DeviceGuard-Editable-End -->
<!-- ConfigCIPolicy-Begin -->
@ -34,7 +34,7 @@ ms.date: 08/06/2024
<!-- ConfigCIPolicy-Description-Begin -->
<!-- Description-Source-ADMX -->
Deploy Windows Defender Application Control.
Deploy App Control for Business.
This policy setting lets you deploy a Code Integrity Policy to a machine to control what's allowed to run on that machine.
@ -69,7 +69,7 @@ If using a signed and protected policy then disabling this policy setting doesn'
| Name | Value |
|:--|:--|
| Name | ConfigCIPolicy |
| Friendly Name | Deploy Windows Defender Application Control |
| Friendly Name | Deploy App Control for Business |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |

96
windows/client-management/mdm/policy-csp-admx-dnsclient.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DnsClient Policy CSP
description: Learn more about the ADMX_DnsClient Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -91,7 +91,7 @@ Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualifie
<!-- DNS_AppendToMultiLabelName-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
Specifies that the DNS client may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com" is an example of a fully qualified name because it contains a terminating dot.
@ -103,7 +103,7 @@ If attaching suffixes is allowed, and a DNS client with a primary domain suffix
- If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
- If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
- If you don't configure this policy setting, the DNS client will use its local settings to determine the query behavior for unqualified multi-label names.
<!-- DNS_AppendToMultiLabelName-Description-End -->
<!-- DNS_AppendToMultiLabelName-Editable-Begin -->
@ -162,9 +162,9 @@ Specifies a connection-specific DNS suffix. This policy setting supersedes local
To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by the DNS client.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied connection specific DNS suffix, if configured.
<!-- DNS_Domain-Description-End -->
<!-- DNS_Domain-Editable-Begin -->
@ -234,7 +234,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
@ -295,11 +295,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
<!-- DNS_IdnEncoding-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
- If this policy setting is enabled, IDNs aren't converted to Punycode.
- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
<!-- DNS_IdnEncoding-Description-End -->
<!-- DNS_IdnEncoding-Editable-Begin -->
@ -413,13 +413,13 @@ Specifies whether the DNS client should convert internationalized domain names (
<!-- DNS_NameServer-Description-Begin -->
<!-- Description-Source-ADMX -->
Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
Defines the DNS servers to which the DNS client sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
- If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the list of DNS servers is applied to all network connections used by the DNS client.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied list of DNS servers, if configured.
<!-- DNS_NameServer-Description-End -->
<!-- DNS_NameServer-Editable-Begin -->
@ -535,18 +535,18 @@ Specifies that responses from link local name resolution protocols received over
<!-- DNS_PrimaryDnsSuffix-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
Specifies the primary DNS suffix used by the DNS client in DNS name registration and DNS name resolution.
To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
> [!IMPORTANT]
> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
> In order for changes to this policy setting to be applied on the DNS client, you must restart Windows.
- If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
- If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client uses the local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
<!-- DNS_PrimaryDnsSuffix-Description-End -->
<!-- DNS_PrimaryDnsSuffix-Editable-Begin -->
@ -600,18 +600,18 @@ You can use this policy setting to prevent users, including local administrators
<!-- DNS_RegisterAdapterName-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
- If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
> [!IMPORTANT]
> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
> This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.
- If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client won't register any A and PTR resource records using a connection-specific DNS suffix.
<!-- DNS_RegisterAdapterName-Description-End -->
<!-- DNS_RegisterAdapterName-Editable-Begin -->
@ -666,7 +666,7 @@ For example, with a computer name of mycomputer, a primary DNS suffix of microso
<!-- DNS_RegisterReverseLookup-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if DNS client computers will register PTR resource records.
Specifies if the DNS client will register PTR resource records.
By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
@ -674,13 +674,13 @@ By default, DNS clients configured to perform dynamic DNS registration will atte
To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
Don't register: Computers won't attempt to register PTR resource records.
Don't register: the DNS client won't attempt to register PTR resource records.
Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
Register: the DNS client will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
Register only if A record registration succeeds: the DNS client will attempt to register PTR resource records only if registration of the corresponding A records was successful.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use locally configured settings.
<!-- DNS_RegisterReverseLookup-Description-End -->
<!-- DNS_RegisterReverseLookup-Editable-Begin -->
@ -734,11 +734,11 @@ Register only if A record registration succeeds: Computers will attempt to regis
<!-- DNS_RegistrationEnabled-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
Specifies if DNS dynamic update is enabled. DNS clients configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
- If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
- If you enable this policy setting, or you don't configure this policy setting, the DNS client will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
- If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
- If you disable this policy setting, the DNS client may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
<!-- DNS_RegistrationEnabled-Description-End -->
<!-- DNS_RegistrationEnabled-Editable-Begin -->
@ -795,7 +795,7 @@ Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic
<!-- Description-Source-ADMX -->
Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers.
This policy setting is designed for DNS clients that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other DNS clients.
During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
@ -856,18 +856,18 @@ During dynamic update of resource records in a zone that doesn't use Secure Dyna
<!-- DNS_RegistrationRefreshInterval-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies DNS clients performing dynamic DNS updates.
Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
DNS clients configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
> [!WARNING]
> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by DNS clients that receive this policy setting.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied setting. By default, DNS clients configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
<!-- DNS_RegistrationRefreshInterval-Description-End -->
<!-- DNS_RegistrationRefreshInterval-Editable-Begin -->
@ -921,13 +921,13 @@ To specify the registration refresh interval, click Enabled and then enter a val
<!-- DNS_RegistrationTtl-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by the DNS client to which this policy setting is applied.
To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by the DNS client.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
<!-- DNS_RegistrationTtl-Description-End -->
<!-- DNS_RegistrationTtl-Editable-Begin -->
@ -985,7 +985,7 @@ Specifies the DNS suffixes to attach to an unqualified single-label name before
An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com".
Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
DNS clients that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
@ -1170,15 +1170,15 @@ Specifies the security level for dynamic DNS updates.
To use this policy setting, click Enabled and then select one of the following values:
Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
Unsecure followed by secure - the DNS client sends secure dynamic updates only when nonsecure dynamic updates are refused.
Only unsecure - computers send only nonsecure dynamic updates.
Only unsecure - the DNS client sends only nonsecure dynamic updates.
Only secure - computers send only secure dynamic updates.
Only secure - The DNS client sends only secure dynamic updates.
- If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
- If you enable this policy setting, DNS clients that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
- If you disable this policy setting, or if you don't configure this policy setting, DNS clients will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
<!-- DNS_UpdateSecurityLevel-Description-End -->
<!-- DNS_UpdateSecurityLevel-Editable-Begin -->
@ -1232,13 +1232,13 @@ Only secure - computers send only secure dynamic updates.
<!-- DNS_UpdateTopLevelDomainZones-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
Specifies if the DNS client may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
By default, a DNS client that's configured to perform dynamic DNS update will update the DNS zone that's authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
- If you enable this policy setting, computers send dynamic updates to any zone that's authoritative for the resource records that the computer needs to update, except the root zone.
- If you enable this policy setting, the DNS client sends dynamic updates to any zone that's authoritative for the resource records that the DNS client needs to update, except the root zone.
- If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client doesn't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the DNS client needs to update.
<!-- DNS_UpdateTopLevelDomainZones-Description-End -->
<!-- DNS_UpdateTopLevelDomainZones-Editable-Begin -->
@ -1309,7 +1309,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
@ -1370,11 +1370,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
<!-- Turn_Off_Multicast-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
Specifies that link local multicast name resolution (LLMNR) is disabled on the DNS client.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a DNS client to another DNS client on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the DNS client.
- If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters.
<!-- Turn_Off_Multicast-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-filesys.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_FileSys Policy CSP
description: Learn more about the ADMX_FileSys Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -260,7 +260,7 @@ Encrypting the page file prevents malicious users from reading data that has bee
<!-- LongPathsEnabled-Description-Begin -->
<!-- Description-Source-ADMX -->
Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
Enabling Win32 long paths will allow manifested win32 applications and packaged Microsoft Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
<!-- LongPathsEnabled-Description-End -->
<!-- LongPathsEnabled-Editable-Begin -->

30
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_MicrosoftDefenderAntivirus Policy CSP
description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1523,11 +1523,13 @@ This policy setting defines the number of days items should be kept in the Quara
<!-- RandomizeScheduleTaskTimes-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours.
This policy setting allows you to configure the randomization of the scheduled scan start time and the scheduled definition update start time.
- If you disable or don't configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
- If you enable or don't configure this policy setting, and didn't set a randomization window in the Configure scheduled task time randomization window setting , then randomization will be added between 0-4 hours.
- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours.
- If you enable or don't configure this policy setting, and set a randomization window in the Configure scheduled task time randomization window setting, the configured randomization window will be used.
- If you disable this policy setting, but configured the scheduled task time randomization window, randomization won't be done.
<!-- RandomizeScheduleTaskTimes-Description-End -->
<!-- RandomizeScheduleTaskTimes-Editable-Begin -->
@ -3528,11 +3530,11 @@ This policy setting allows you to configure scanning mapped network drives.
<!-- Scan_DisableScanningNetworkFiles-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure scanning for network files. It's recommended that you don't enable this setting.
This policy setting allows the scanning of network files using on access protection. The default is enabled. Recommended to remain enabled in most cases.
- If you enable this setting, network files will be scanned.
- If you enable or don't configure this setting, network files will be scanned.
- If you disable or don't configure this setting, network files won't be scanned.
- If you disable this setting, network files won't be scanned.
<!-- Scan_DisableScanningNetworkFiles-Description-End -->
<!-- Scan_DisableScanningNetworkFiles-Editable-Begin -->
@ -3556,7 +3558,7 @@ This policy setting allows you to configure scanning for network files. It's rec
| Name | Value |
|:--|:--|
| Name | Scan_DisableScanningNetworkFiles |
| Friendly Name | Scan network files |
| Friendly Name | Configure scanning of network files |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@ -5436,12 +5438,7 @@ Valid remediation action values are:
<!-- UX_Configuration_CustomDefaultActionToastString-OmaUri-End -->
<!-- UX_Configuration_CustomDefaultActionToastString-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
- If you enable this setting, the additional text specified will be displayed.
- If you disable or don't configure this setting, there will be no additional text displayed.
<!-- Description-Source-Not-Found -->
<!-- UX_Configuration_CustomDefaultActionToastString-Description-End -->
<!-- UX_Configuration_CustomDefaultActionToastString-Editable-Begin -->
@ -5458,6 +5455,7 @@ This policy setting allows you to configure whether or not to display additional
<!-- UX_Configuration_CustomDefaultActionToastString-DFProperties-End -->
<!-- UX_Configuration_CustomDefaultActionToastString-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -5465,10 +5463,6 @@ This policy setting allows you to configure whether or not to display additional
| Name | Value |
|:--|:--|
| Name | UX_Configuration_CustomDefaultActionToastString |
| Friendly Name | Display additional text to clients when they need to perform an action |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Client Interface |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration |
| ADMX File Name | WindowsDefender.admx |
<!-- UX_Configuration_CustomDefaultActionToastString-AdmxBacked-End -->

4
windows/client-management/mdm/policy-csp-admx-netlogon.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Netlogon Policy CSP
description: Learn more about the ADMX_Netlogon Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -420,6 +420,8 @@ Note that this policy setting doesn't affect NetBIOS-based discovery for DC loca
- If you enable or don't configure this policy setting, the DC location algorithm doesn't use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
- If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
This setting has no effect unless the BlockNetbiosDiscovery setting is disabled. NetBIOS-based discovery is considered unsecure, has many limitations, and will be deprecated in a future release. For these reasons, NetBIOS-based discovery isn't recommended. See <https://aka.ms/dclocatornetbiosdeprecation> for more information.
<!-- Netlogon_AvoidFallbackNetbiosDiscovery-Description-End -->
<!-- Netlogon_AvoidFallbackNetbiosDiscovery-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-printing.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Printing Policy CSP
description: Learn more about the ADMX_Printing Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -749,7 +749,7 @@ This preference allows you to change default printer management.
<!-- MXDWUseLegacyOutputFormatMSXPS-Description-Begin -->
<!-- Description-Source-ADMX -->
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2022.
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2025.
- If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps).

4
windows/client-management/mdm/policy-csp-admx-startmenu.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_StartMenu Policy CSP
description: Learn more about the ADMX_StartMenu Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -997,7 +997,7 @@ This policy setting allows you to prevent users from changing their Start screen
|:--|:--|
| Name | NoChangeStartMenu |
| Friendly Name | Prevent users from customizing their Start Screen |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Registry Value Name | NoChangeStartMenu |

12
windows/client-management/mdm/policy-csp-admx-taskbar.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Taskbar Policy CSP
description: Learn more about the ADMX_Taskbar Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -69,7 +69,7 @@ A reboot is required for this policy setting to take effect.
|:--|:--|
| Name | DisableNotificationCenter |
| Friendly Name | Remove Notifications and Action Center |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | DisableNotificationCenter |
@ -748,11 +748,11 @@ This policy setting allows you to turn off automatic promotion of notification i
<!-- ShowWindowsStoreAppsOnTaskbar-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows users to see Windows Store apps on the taskbar.
This policy setting allows users to see packaged Microsoft Store apps on the taskbar.
- If you enable this policy setting, users will see Windows Store apps on the taskbar.
- If you enable this policy setting, users will see packaged Microsoft Store apps on the taskbar.
- If you disable this policy setting, users won't see Windows Store apps on the taskbar.
- If you disable this policy setting, users won't see packaged Microsoft Store apps on the taskbar.
- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it.
<!-- ShowWindowsStoreAppsOnTaskbar-Description-End -->
@ -778,7 +778,7 @@ This policy setting allows users to see Windows Store apps on the taskbar.
| Name | Value |
|:--|:--|
| Name | ShowWindowsStoreAppsOnTaskbar |
| Friendly Name | Show Windows Store apps on the taskbar |
| Friendly Name | Show packaged Microsoft Store apps on the taskbar |
| Location | User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |

4
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_TerminalServer Policy CSP
description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -3585,7 +3585,7 @@ This policy setting allows you to specify which protocols can be used for Remote
- If you enable this policy setting, you must specify if you would like RDP to use UDP.
You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)".
You can select one of the following options: "Use either UDP or TCP (default)" or "Use only TCP".
If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP.

11
windows/client-management/mdm/policy-csp-admx-thumbnails.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Thumbnails Policy CSP
description: Learn more about the ADMX_Thumbnails Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -95,11 +95,14 @@ File Explorer displays thumbnail images by default.
<!-- Description-Source-ADMX -->
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.
File Explorer displays thumbnail images on network folders by default.
File Explorer displays only icons and never displays thumbnail images on network folders by default.
- If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
- If you disable this policy setting, File Explorer displays thumbnail images on network folders.
- If you disable or don't configure this policy setting, File Explorer displays only thumbnail images on network folders.
- If you enable or don't configure this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
> [!NOTE]
> Allowing the use of thumbnail images from network folders can expose the users' computers to security risks.
<!-- DisableThumbnailsOnNetworkFolders-Description-End -->
<!-- DisableThumbnailsOnNetworkFolders-Editable-Begin -->

18
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_WindowsExplorer Policy CSP
description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -472,7 +472,15 @@ You can specify a known folder using its known folder id or using its canonical
<!-- DisableMotWOnInsecurePathCopy-OmaUri-End -->
<!-- DisableMotWOnInsecurePathCopy-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting determines the application of the Mark of the Web tag to files sourced from insecure locations.
- If you enable this policy setting, files copied from unsecure sources won't be tagged with the Mark of the Web.
- If you disable or don't configure this policy setting, files copied from unsecure sources will be tagged with the appropriate Mark of the Web.
> [!NOTE]
> Failure to tag files from unsecure sources with the Mark of the Web can expose users' computers to security risks.
<!-- DisableMotWOnInsecurePathCopy-Description-End -->
<!-- DisableMotWOnInsecurePathCopy-Editable-Begin -->
@ -489,7 +497,6 @@ You can specify a known folder using its known folder id or using its canonical
<!-- DisableMotWOnInsecurePathCopy-DFProperties-End -->
<!-- DisableMotWOnInsecurePathCopy-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -497,6 +504,11 @@ You can specify a known folder using its known folder id or using its canonical
| Name | Value |
|:--|:--|
| Name | DisableMotWOnInsecurePathCopy |
| Friendly Name | Do not apply the Mark of the Web tag to files copied from insecure sources |
| Location | Computer Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | DisableMotWOnInsecurePathCopy |
| ADMX File Name | WindowsExplorer.admx |
<!-- DisableMotWOnInsecurePathCopy-AdmxBacked-End -->

4
windows/client-management/mdm/policy-csp-admx-wpn.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_WPN Policy CSP
description: Learn more about the ADMX_WPN Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -254,7 +254,7 @@ No reboots or service restarts are required for this policy setting to take effe
|:--|:--|
| Name | NoToastNotification |
| Friendly Name | Turn off toast notifications |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar > Notifications |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications |
| Registry Value Name | NoToastApplicationNotification |

100
windows/client-management/mdm/policy-csp-appdeviceinventory.md
View File

@ -1,7 +1,7 @@
---
title: AppDeviceInventory Policy CSP
description: Learn more about the AppDeviceInventory Area in Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -33,7 +33,12 @@ ms.date: 08/07/2024
<!-- TurnOffAPISamping-OmaUri-End -->
<!-- TurnOffAPISamping-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the state of API Sampling. API Sampling monitors the sampled collection of application programming interfaces used during system runtime to help diagnose compatibility problems.
- If you enable this policy, API Sampling won't be run.
- If you disable or don't configure this policy, API Sampling will be turned on.
<!-- TurnOffAPISamping-Description-End -->
<!-- TurnOffAPISamping-Editable-Begin -->
@ -50,7 +55,6 @@ ms.date: 08/07/2024
<!-- TurnOffAPISamping-DFProperties-End -->
<!-- TurnOffAPISamping-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -58,6 +62,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffAPISamping |
| Friendly Name | Turn off API Sampling |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableAPISamping |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffAPISamping-AdmxBacked-End -->
@ -83,7 +92,12 @@ ms.date: 08/07/2024
<!-- TurnOffApplicationFootprint-OmaUri-End -->
<!-- TurnOffApplicationFootprint-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the state of Application Footprint. Application Footprint monitors the sampled collection of registry and file usage to help diagnose compatibility problems.
- If you enable this policy, Application Footprint won't be run.
- If you disable or don't configure this policy, Application Footprint will be turned on.
<!-- TurnOffApplicationFootprint-Description-End -->
<!-- TurnOffApplicationFootprint-Editable-Begin -->
@ -100,7 +114,6 @@ ms.date: 08/07/2024
<!-- TurnOffApplicationFootprint-DFProperties-End -->
<!-- TurnOffApplicationFootprint-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -108,6 +121,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffApplicationFootprint |
| Friendly Name | Turn off Application Footprint |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableApplicationFootprint |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffApplicationFootprint-AdmxBacked-End -->
@ -133,7 +151,12 @@ ms.date: 08/07/2024
<!-- TurnOffInstallTracing-OmaUri-End -->
<!-- TurnOffInstallTracing-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the state of Install Tracing. Install Tracing is a mechanism that tracks application installs to help diagnose compatibility problems.
- If you enable this policy, Install Tracing won't be run.
- If you disable or don't configure this policy, Install Tracing will be turned on.
<!-- TurnOffInstallTracing-Description-End -->
<!-- TurnOffInstallTracing-Editable-Begin -->
@ -150,7 +173,6 @@ ms.date: 08/07/2024
<!-- TurnOffInstallTracing-DFProperties-End -->
<!-- TurnOffInstallTracing-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -158,6 +180,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffInstallTracing |
| Friendly Name | Turn off Install Tracing |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableInstallTracing |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffInstallTracing-AdmxBacked-End -->
@ -167,6 +194,65 @@ ms.date: 08/07/2024
<!-- TurnOffInstallTracing-End -->
<!-- TurnOffWin32AppBackup-Begin -->
## TurnOffWin32AppBackup
<!-- TurnOffWin32AppBackup-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- TurnOffWin32AppBackup-Applicability-End -->
<!-- TurnOffWin32AppBackup-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/AppDeviceInventory/TurnOffWin32AppBackup
```
<!-- TurnOffWin32AppBackup-OmaUri-End -->
<!-- TurnOffWin32AppBackup-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the state of the compatibility scan for backed up applications. The compatibility scan for backed up applications evaluates for compatibility problems in installed applications.
- If you enable this policy, the compatibility scan for backed up applications won't be run.
- If you disable or don't configure this policy, the compatibility scan for backed up applications will be run.
<!-- TurnOffWin32AppBackup-Description-End -->
<!-- TurnOffWin32AppBackup-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TurnOffWin32AppBackup-Editable-End -->
<!-- TurnOffWin32AppBackup-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- TurnOffWin32AppBackup-DFProperties-End -->
<!-- TurnOffWin32AppBackup-AdmxBacked-Begin -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | TurnOffWin32AppBackup |
| Friendly Name | Turn off compatibility scan for backed up applications |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableWin32AppBackup |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffWin32AppBackup-AdmxBacked-End -->
<!-- TurnOffWin32AppBackup-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TurnOffWin32AppBackup-Examples-End -->
<!-- TurnOffWin32AppBackup-End -->
<!-- AppDeviceInventory-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- AppDeviceInventory-CspMoreInfo-End -->

10
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -30,11 +30,11 @@ ms.date: 04/10/2024
<!-- AllowAllTrustedApps-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.
This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed packaged Microsoft Store apps.
- If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
- If you enable this policy setting, you can install any LOB or developer-signed packaged Microsoft Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
- If you disable or don't configure this policy setting, you can't install LOB or developer-signed Windows Store apps.
- If you disable or don't configure this policy setting, you can't install LOB or developer-signed packaged Microsoft Store apps.
<!-- AllowAllTrustedApps-Description-End -->
<!-- AllowAllTrustedApps-Editable-Begin -->
@ -269,7 +269,7 @@ Allows or denies development of Microsoft Store applications and installing them
| Name | Value |
|:--|:--|
| Name | AllowDevelopmentWithoutDevLicense |
| Friendly Name | Allows development of Windows Store apps and installing them from an integrated development environment (IDE) |
| Friendly Name | Allows development of packaged Microsoft Store apps and installing them from an integrated development environment (IDE) |
| Location | Computer Configuration |
| Path | Windows Components > App Package Deployment |
| Registry Key Name | Software\Policies\Microsoft\Windows\Appx |

6
windows/client-management/mdm/policy-csp-appruntime.md
View File

@ -1,7 +1,7 @@
---
title: AppRuntime Policy CSP
description: Learn more about the AppRuntime Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,9 +32,9 @@ ms.date: 01/18/2024
<!-- AllowMicrosoftAccountsToBeOptional-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
This policy setting lets you control whether Microsoft accounts are optional for packaged Microsoft Store apps that require an account to sign in. This policy only affects packaged Microsoft Store apps that support it.
- If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
- If you enable this policy setting, packaged Microsoft Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
- If you disable or don't configure this policy setting, users will need to sign in with a Microsoft account.
<!-- AllowMicrosoftAccountsToBeOptional-Description-End -->

5
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -1,7 +1,7 @@
---
title: AppVirtualization Policy CSP
description: Learn more about the AppVirtualization Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -33,6 +33,9 @@ ms.date: 01/18/2024
<!-- AllowAppVClient-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
> [!NOTE]
> Application Virtualization (App-V) will reach end-of-life April 2026. After that time, the App-V client will be excluded from new versions of the Windows operating system. See aka.ms/AppVDeprecation for more information.
<!-- AllowAppVClient-Description-End -->
<!-- AllowAppVClient-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-audit.md
View File

@ -1,7 +1,7 @@
---
title: Audit Policy CSP
description: Learn more about the Audit Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 10/10/2024
---
<!-- Auto-Generated CSP Document -->
@ -846,7 +846,7 @@ Volume: Low.
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged-on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697).
This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged-on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-End -->
<!-- AccountLogonLogoff_AuditSpecialLogon-Editable-Begin -->

16
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -1,7 +1,7 @@
---
title: Cryptography Policy CSP
description: Learn more about the Cryptography Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- Cryptography-Begin -->
# Policy CSP - Cryptography
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Cryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Cryptography-Editable-End -->
@ -79,7 +77,7 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<!-- ConfigureEllipticCurveCryptography-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureEllipticCurveCryptography-Applicability-End -->
<!-- ConfigureEllipticCurveCryptography-OmaUri-Begin -->
@ -146,7 +144,7 @@ CertUtil.exe -DisplayEccCurve.
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-Begin -->
@ -196,7 +194,7 @@ System cryptography: Force strong key protection for user keys stored on the com
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-Begin -->
@ -235,7 +233,7 @@ Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-Begin -->
@ -274,7 +272,7 @@ Override minimal enabled TLS version for server role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-Begin -->
@ -313,7 +311,7 @@ Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-defender.md
View File

@ -1,7 +1,7 @@
---
title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -745,7 +745,7 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
| Name | Value |
|:--|:--|
| Name | Scan_DisableScanningNetworkFiles |
| Friendly Name | Scan network files |
| Friendly Name | Configure scanning of network files |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |

74
windows/client-management/mdm/policy-csp-desktopappinstaller.md
View File

@ -1,7 +1,7 @@
---
title: DesktopAppInstaller Policy CSP
description: Learn more about the DesktopAppInstaller Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- DesktopAppInstaller-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DesktopAppInstaller-Editable-End -->
@ -215,7 +213,14 @@ Users will still be able to execute the *winget* command. The default help will
<!-- EnableBypassCertificatePinningForMicrosoftStore-OmaUri-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls whether the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate hash matches to a known Microsoft Store certificate when initiating a connection to the Microsoft Store Source.
- If you enable this policy, the [Windows Package Manager](/windows/package-manager/) will bypass the Microsoft Store certificate validation.
- If you disable this policy, the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate used is valid and belongs to the Microsoft Store before communicating with the Microsoft Store source.
- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
<!-- EnableBypassCertificatePinningForMicrosoftStore-Description-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Editable-Begin -->
@ -232,7 +237,6 @@ Users will still be able to execute the *winget* command. The default help will
<!-- EnableBypassCertificatePinningForMicrosoftStore-DFProperties-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -240,6 +244,11 @@ Users will still be able to execute the *winget* command. The default help will
| Name | Value |
|:--|:--|
| Name | EnableBypassCertificatePinningForMicrosoftStore |
| Friendly Name | Enable App Installer Microsoft Store Source Certificate Validation Bypass |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableBypassCertificatePinningForMicrosoftStore |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-End -->
@ -445,7 +454,14 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
<!-- EnableLocalArchiveMalwareScanOverride-OmaUri-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the ability to override malware vulnerability scans when installing an archive file using a local manifest using the command line arguments.
- If you enable this policy, users can override the malware scan when performing a local manifest install of an archive file.
- If you disable this policy, users will be unable to override the malware scan of an archive file when installing using a local manifest.
- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
<!-- EnableLocalArchiveMalwareScanOverride-Description-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Editable-Begin -->
@ -462,7 +478,6 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
<!-- EnableLocalArchiveMalwareScanOverride-DFProperties-End -->
<!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -470,6 +485,11 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
| Name | Value |
|:--|:--|
| Name | EnableLocalArchiveMalwareScanOverride |
| Friendly Name | Enable App Installer Local Archive Malware Scan Override |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableLocalArchiveMalwareScanOverride |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-End -->
@ -618,9 +638,9 @@ This policy controls the Microsoft Store source included with the [Windows Packa
<!-- Description-Source-ADMX -->
This policy controls whether users can install packages from a website that's using the ms-appinstaller protocol.
- If you enable or don't configure this setting, users will be able to install packages from websites that use this protocol.
- If you enable this setting, users will be able to install packages from websites that use this protocol.
- If you disable this setting, users won't be able to install packages from websites that use this protocol.
- If you disable or don't configure this setting, users won't be able to install packages from websites that use this protocol.
<!-- EnableMSAppInstallerProtocol-Description-End -->
<!-- EnableMSAppInstallerProtocol-Editable-Begin -->
@ -724,7 +744,7 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-Begin -->
@ -734,7 +754,14 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy determines if a user can perform an action using the [Windows Package Manager](/windows/package-manager/) through a command line interface (WinGet CLI, or WinGet PowerShell).
If you disable this policy, users won't be able execute the [Windows Package Manager](/windows/package-manager/) CLI, and PowerShell cmdlets.
If you enable, or don't configuring this policy, users will be able to execute the [Windows Package Manager](/windows/package-manager/) CLI commands, and PowerShell cmdlets. (Provided "Enable App Installer" policy isn't disabled).
This policy doesn't override the "Enable App Installer" policy.
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-Begin -->
@ -751,7 +778,6 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -759,6 +785,11 @@ The settings are stored inside of a .json file on the users system. It may be
| Name | Value |
|:--|:--|
| Name | EnableWindowsPackageManagerCommandLineInterfaces |
| Friendly Name | Enable Windows Package Manager command line interfaces |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableWindowsPackageManagerCommandLineInterfaces |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-End -->
@ -774,7 +805,7 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableWindowsPackageManagerConfiguration-Applicability-End -->
<!-- EnableWindowsPackageManagerConfiguration-OmaUri-Begin -->
@ -784,7 +815,12 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerConfiguration-OmaUri-End -->
<!-- EnableWindowsPackageManagerConfiguration-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls whether the [Windows Package Manager](/windows/package-manager/) configuration feature can be used by users.
- If you enable or don't configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
- If you disable this setting, users won't be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
<!-- EnableWindowsPackageManagerConfiguration-Description-End -->
<!-- EnableWindowsPackageManagerConfiguration-Editable-Begin -->
@ -801,7 +837,6 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerConfiguration-DFProperties-End -->
<!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -809,6 +844,11 @@ The settings are stored inside of a .json file on the users system. It may be
| Name | Value |
|:--|:--|
| Name | EnableWindowsPackageManagerConfiguration |
| Friendly Name | Enable Windows Package Manager Configuration |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableWindowsPackageManagerConfiguration |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-End -->
@ -835,9 +875,9 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- SourceAutoUpdateInterval-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the auto update interval for package-based sources.
This policy controls the auto-update interval for package-based sources. The default source for [Windows Package Manager](/windows/package-manager/) is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed.
- If you disable or don't configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/).
- If you disable or don't configure this setting, the default interval or the value specified in the [Windows Package Manager](/windows/package-manager/) settings will be used.
- If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/).
<!-- SourceAutoUpdateInterval-Description-End -->

22
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -1,7 +1,7 @@
---
title: DeviceLock Policy CSP
description: Learn more about the DeviceLock Area in Policy CSP.
ms.date: 08/05/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 08/05/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- DeviceLock-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
@ -25,7 +23,7 @@ ms.date: 08/05/2024
<!-- AccountLockoutPolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AccountLockoutPolicy-Applicability-End -->
<!-- AccountLockoutPolicy-OmaUri-Begin -->
@ -64,7 +62,7 @@ Account lockout threshold - This security setting determines the number of faile
<!-- AllowAdministratorLockout-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowAdministratorLockout-Applicability-End -->
<!-- AllowAdministratorLockout-OmaUri-Begin -->
@ -329,7 +327,7 @@ Determines the type of PIN or password required. This policy only applies if the
<!-- ClearTextPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ClearTextPassword-Applicability-End -->
<!-- ClearTextPassword-OmaUri-Begin -->
@ -685,7 +683,7 @@ The number of authentication failures allowed before the device will be wiped. A
<!-- MaximumPasswordAge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MaximumPasswordAge-Applicability-End -->
<!-- MaximumPasswordAge-OmaUri-Begin -->
@ -1025,7 +1023,7 @@ This security setting determines the period of time (in days) that a password mu
<!-- MinimumPasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MinimumPasswordLength-Applicability-End -->
<!-- MinimumPasswordLength-OmaUri-Begin -->
@ -1078,7 +1076,7 @@ This security setting determines the least number of characters that a password
<!-- MinimumPasswordLengthAudit-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MinimumPasswordLengthAudit-Applicability-End -->
<!-- MinimumPasswordLengthAudit-OmaUri-Begin -->
@ -1128,7 +1126,7 @@ This security setting determines the minimum password length for which password
<!-- PasswordComplexity-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- PasswordComplexity-Applicability-End -->
<!-- PasswordComplexity-OmaUri-Begin -->
@ -1188,7 +1186,7 @@ Complexity requirements are enforced when passwords are changed or created.
<!-- PasswordHistorySize-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- PasswordHistorySize-Applicability-End -->
<!-- PasswordHistorySize-OmaUri-Begin -->
@ -1360,7 +1358,7 @@ If you enable this setting, users will no longer be able to modify slide show se
<!-- RelaxMinimumPasswordLengthLimits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- RelaxMinimumPasswordLengthLimits-Applicability-End -->
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-Begin -->

19
windows/client-management/mdm/policy-csp-experience.md
View File

@ -1,7 +1,7 @@
---
title: Experience Policy CSP
description: Learn more about the Experience Area in Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 08/07/2024
<!-- Experience-Begin -->
# Policy CSP - Experience
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Experience-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Experience-Editable-End -->
@ -484,7 +482,7 @@ Allow screen capture.
<!-- AllowScreenRecorder-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowScreenRecorder-Applicability-End -->
<!-- AllowScreenRecorder-OmaUri-Begin -->
@ -494,7 +492,7 @@ Allow screen capture.
<!-- AllowScreenRecorder-OmaUri-End -->
<!-- AllowScreenRecorder-Description-Begin -->
<!-- Description-Source-DDF -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether screen recording functionality is available in the Windows Snipping Tool app.
- If you disable this policy setting, screen recording functionality won't be accessible in the Windows Snipping Tool app.
@ -531,7 +529,12 @@ This policy setting allows you to control whether screen recording functionality
| Name | Value |
|:--|:--|
| Name | AllowScreenRecorder |
| Path | Programs > AT > WindowsComponents > SnippingTool |
| Friendly Name | Allow Screen Recorder |
| Location | User Configuration |
| Path | Windows Components > Snipping Tool |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\SnippingTool |
| Registry Value Name | AllowScreenRecorder |
| ADMX File Name | Programs.admx |
<!-- AllowScreenRecorder-GpMapping-End -->
<!-- AllowScreenRecorder-Examples-Begin -->
@ -1681,7 +1684,7 @@ This policy setting lets you turn off cloud consumer account state content in al
<!-- DisableTextTranslation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableTextTranslation-Applicability-End -->
<!-- DisableTextTranslation-OmaUri-Begin -->
@ -1887,7 +1890,7 @@ _**Turn syncing off by default but dont disable**_
<!-- EnableOrganizationalMessages-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4828] and later <br> ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later <br> ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 with [KB5041582](https://support.microsoft.com/help/5041582) [10.0.19045.4842] and later <br> ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableOrganizationalMessages-Applicability-End -->
<!-- EnableOrganizationalMessages-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-fileexplorer.md
View File

@ -1,7 +1,7 @@
---
title: FileExplorer Policy CSP
description: Learn more about the FileExplorer Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -138,7 +138,7 @@ When This PC location is restricted, give the user the option to enumerate and n
<!-- DisableGraphRecentItems-Description-Begin -->
<!-- Description-Source-ADMX -->
Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, etc.
Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, Details pane, etc.
<!-- DisableGraphRecentItems-Description-End -->
<!-- DisableGraphRecentItems-Editable-Begin -->

12
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -1,7 +1,7 @@
---
title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- HumanPresence-Begin -->
# Policy CSP - HumanPresence
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- HumanPresence-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HumanPresence-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 01/18/2024
<!-- ForceAllowDimWhenExternalDisplayConnected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceAllowDimWhenExternalDisplayConnected-Applicability-End -->
<!-- ForceAllowDimWhenExternalDisplayConnected-OmaUri-Begin -->
@ -85,7 +83,7 @@ Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forc
<!-- ForceAllowLockWhenExternalDisplayConnected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceAllowLockWhenExternalDisplayConnected-Applicability-End -->
<!-- ForceAllowLockWhenExternalDisplayConnected-OmaUri-Begin -->
@ -149,7 +147,7 @@ Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced
<!-- ForceAllowWakeWhenExternalDisplayConnected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceAllowWakeWhenExternalDisplayConnected-Applicability-End -->
<!-- ForceAllowWakeWhenExternalDisplayConnected-OmaUri-Begin -->
@ -213,7 +211,7 @@ Determines whether Allow Wake on Approach When External Display Connected checkb
<!-- ForceDisableWakeWhenBatterySaverOn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceDisableWakeWhenBatterySaverOn-Applicability-End -->
<!-- ForceDisableWakeWhenBatterySaverOn-OmaUri-Begin -->

25
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -1,7 +1,7 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1005,7 +1005,12 @@ Note. It's recommended to configure template policy settings in one Group Policy
<!-- AllowLegacyURLFields-OmaUri-End -->
<!-- AllowLegacyURLFields-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows the use of some disabled functionality, such as WorkingDirectory field or pluggable protocol handling, in Internet Shortcut files.
If you enable this policy, disabled functionality for Internet Shortcut files will be re-enabled.
If you disable, or don't configure this policy, some functionality for Internet Shortcut files, such as WorkingDirectory field or pluggable protocol handling, will be disabled.
<!-- AllowLegacyURLFields-Description-End -->
<!-- AllowLegacyURLFields-Editable-Begin -->
@ -1022,7 +1027,6 @@ Note. It's recommended to configure template policy settings in one Group Policy
<!-- AllowLegacyURLFields-DFProperties-End -->
<!-- AllowLegacyURLFields-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -1030,6 +1034,11 @@ Note. It's recommended to configure template policy settings in one Group Policy
| Name | Value |
|:--|:--|
| Name | AllowLegacyURLFields |
| Friendly Name | Allow legacy functionality for Internet Shortcut files |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
| Registry Value Name | AllowLegacyURLFields |
| ADMX File Name | inetres.admx |
<!-- AllowLegacyURLFields-AdmxBacked-End -->
@ -7923,13 +7932,11 @@ This policy setting allows you to manage the opening of windows and frames and a
<!-- JScriptReplacement-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC/MSXML/Cscript based invocations.
This policy setting specifies whether JScript or JScript9Legacy is loaded.
- If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated.
- If you enable this policy setting or not configured, JScript9Legacy will be loaded in situations where JScript is instantiated.
- If you disable this policy, then JScript will be utilized.
- If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSXML/Cscript will use JScript.
<!-- JScriptReplacement-Description-End -->
<!-- JScriptReplacement-Editable-Begin -->
@ -7953,7 +7960,7 @@ This policy setting specifies whether JScript or JScript9Legacy is loaded for MS
| Name | Value |
|:--|:--|
| Name | JScriptReplacement |
| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC. |
| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript. |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
@ -13407,7 +13414,7 @@ If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode
If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.
For more information, see <https://go.microsoft.com/fwlink/?linkid=2102115>
For more information, see <https://go.microsoft.com/fwlink/?linkid=2220107>
<!-- ResetZoomForDialogInIEMode-Description-End -->
<!-- ResetZoomForDialogInIEMode-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-lanmanworkstation.md
View File

@ -1,7 +1,7 @@
---
title: LanmanWorkstation Policy CSP
description: Learn more about the LanmanWorkstation Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -36,6 +36,8 @@ This policy setting determines if the SMB client will allow insecure guest logon
- If you disable this policy setting, the SMB client will reject insecure guest logons.
If you enable signing, the SMB client will reject insecure guest logons.
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access".
<!-- EnableInsecureGuestLogons-Description-End -->

70
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -1,7 +1,7 @@
---
title: LocalPoliciesSecurityOptions Policy CSP
description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -360,7 +360,7 @@ Accounts: Rename guest account This security setting determines whether a differ
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-End -->
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-Begin -->
@ -404,7 +404,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-End -->
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-Begin -->
@ -445,7 +445,7 @@ Audit: Force audit policy subcategory settings (Windows Vista or later) to overr
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-End -->
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-Begin -->
@ -718,7 +718,7 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-End -->
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-Begin -->
@ -771,7 +771,7 @@ Devices: Restrict floppy access to locally logged-on user only This security set
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-End -->
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-Begin -->
@ -825,7 +825,7 @@ Domain member: Digitally encrypt or sign secure channel data (always) This secur
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -878,7 +878,7 @@ Domain member: Digitally encrypt secure channel data (when possible) This securi
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -928,7 +928,7 @@ Domain member: Digitally sign secure channel data (when possible) This security
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-End -->
<!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-Begin -->
@ -982,7 +982,7 @@ Domain member: Disable machine account password changes Determines whether a dom
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-End -->
<!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-Begin -->
@ -1035,7 +1035,7 @@ Domain member: Maximum machine account password age This security setting determ
<!-- DomainMember_RequireStrongSessionKey-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_RequireStrongSessionKey-Applicability-End -->
<!-- DomainMember_RequireStrongSessionKey-OmaUri-Begin -->
@ -1335,7 +1335,7 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-OmaUri-Begin -->
@ -1454,6 +1454,8 @@ Interactive logon: Message text for users attempting to log on This security set
<!-- InteractiveLogon_MessageTextForUsersAttemptingToLogOn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Windows Autopilot pre-provisioning doesn't work when this policy setting is enabled. For more information, see [Windows Autopilot troubleshooting FAQ](/autopilot/troubleshooting-faq#troubleshooting-policy-conflicts-with-windows-autopilot).
<!-- InteractiveLogon_MessageTextForUsersAttemptingToLogOn-Editable-End -->
<!-- InteractiveLogon_MessageTextForUsersAttemptingToLogOn-DFProperties-Begin -->
@ -1503,6 +1505,8 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_MessageTitleForUsersAttemptingToLogOn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Windows Autopilot pre-provisioning doesn't work when this policy setting is enabled. For more information, see [Windows Autopilot troubleshooting FAQ](/autopilot/troubleshooting-faq#troubleshooting-policy-conflicts-with-windows-autopilot).
<!-- InteractiveLogon_MessageTitleForUsersAttemptingToLogOn-Editable-End -->
<!-- InteractiveLogon_MessageTitleForUsersAttemptingToLogOn-DFProperties-Begin -->
@ -1535,7 +1539,7 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
@ -1575,7 +1579,7 @@ Interactive logon: Number of previous logons to cache (in case domain controller
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-End -->
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-Begin -->
@ -1864,7 +1868,7 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-End -->
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-Begin -->
@ -2047,7 +2051,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-End -->
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-Begin -->
@ -2090,7 +2094,7 @@ Microsoft network server: Disconnect clients when logon hours expire This securi
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-End -->
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-Begin -->
@ -2131,7 +2135,7 @@ Microsoft network server: Server SPN target name validation level This policy se
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Applicability-End -->
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-OmaUri-Begin -->
@ -2312,7 +2316,7 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-End -->
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-Begin -->
@ -2360,7 +2364,7 @@ Network access: Don't allow storage of passwords and credentials for network aut
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-End -->
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-Begin -->
@ -2412,7 +2416,7 @@ Network access: Let Everyone permissions apply to anonymous users This security
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2452,7 +2456,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-Begin -->
@ -2495,7 +2499,7 @@ Network access: Remotely accessible registry paths This security setting determi
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-Begin -->
@ -2644,7 +2648,7 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2684,7 +2688,7 @@ Network access: Shares that can be accessed anonymously This security setting de
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-End -->
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-Begin -->
@ -2728,7 +2732,7 @@ Network access: Sharing and security model for local accounts This security sett
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-End -->
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-Begin -->
@ -2958,7 +2962,7 @@ Network security: Don't store LAN Manager hash value on next password change Thi
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Applicability-End -->
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-OmaUri-Begin -->
@ -3083,7 +3087,7 @@ Network security LAN Manager authentication level This security setting determin
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-End -->
<!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-Begin -->
@ -3489,7 +3493,7 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-End -->
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-Begin -->
@ -3539,7 +3543,7 @@ Recovery console: Allow automatic administrative logon This security setting det
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-End -->
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-Begin -->
@ -3696,7 +3700,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-End -->
<!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-Begin -->
@ -3737,7 +3741,7 @@ System Cryptography: Force strong key protection for user keys stored on the com
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-End -->
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-Begin -->
@ -3787,7 +3791,7 @@ System objects: Require case insensitivity for non-Windows subsystems This secur
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-End -->
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-lsa.md
View File

@ -1,7 +1,7 @@
---
title: LocalSecurityAuthority Policy CSP
description: Learn more about the LocalSecurityAuthority Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -93,7 +93,7 @@ This policy controls the configuration under which LSASS loads custom SSPs and A
<!-- Description-Source-ADMX -->
This policy controls the configuration under which LSASS is run.
- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for all clean installed, HVCI capable, client SKUs. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
- If you configure and set this policy setting to "Disabled", LSA won't run as a protected process.
@ -135,7 +135,7 @@ This policy controls the configuration under which LSASS is run.
| Friendly Name | Configures LSASS to run as a protected process |
| Location | Computer Configuration |
| Path | System > Local Security Authority |
| Registry Key Name | System\CurrentControlSet\Control\Lsa |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| ADMX File Name | LocalSecurityAuthority.admx |
<!-- ConfigureLsaProtectedProcess-GpMapping-End -->

6
windows/client-management/mdm/policy-csp-mssecurityguide.md
View File

@ -1,7 +1,7 @@
---
title: MSSecurityGuide Policy CSP
description: Learn more about the MSSecurityGuide Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 01/31/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- MSSecurityGuide-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MSSecurityGuide-Editable-End -->
@ -223,7 +221,7 @@ ms.date: 01/31/2024
<!-- NetBTNodeTypeConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetBTNodeTypeConfiguration-Applicability-End -->
<!-- NetBTNodeTypeConfiguration-OmaUri-Begin -->

16
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -1,7 +1,7 @@
---
title: NetworkListManager Policy CSP
description: Learn more about the NetworkListManager Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 08/06/2024
<!-- NetworkListManager-Begin -->
# Policy CSP - NetworkListManager
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- NetworkListManager-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NetworkListManager-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 08/06/2024
<!-- AllNetworks_NetworkIcon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllNetworks_NetworkIcon-Applicability-End -->
<!-- AllNetworks_NetworkIcon-OmaUri-Begin -->
@ -70,7 +68,7 @@ This policy setting allows you to specify whether users can change the network i
<!-- AllNetworks_NetworkLocation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllNetworks_NetworkLocation-Applicability-End -->
<!-- AllNetworks_NetworkLocation-OmaUri-Begin -->
@ -119,7 +117,7 @@ This policy setting allows you to specify whether users can change the network l
<!-- AllNetworks_NetworkName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllNetworks_NetworkName-Applicability-End -->
<!-- AllNetworks_NetworkName-OmaUri-Begin -->
@ -262,7 +260,7 @@ This policy setting provides the string that names a network. If this setting is
<!-- IdentifyingNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- IdentifyingNetworks_LocationType-Applicability-End -->
<!-- IdentifyingNetworks_LocationType-OmaUri-Begin -->
@ -311,7 +309,7 @@ This policy setting allows you to configure the Network Location for networks th
<!-- UnidentifiedNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- UnidentifiedNetworks_LocationType-Applicability-End -->
<!-- UnidentifiedNetworks_LocationType-OmaUri-Begin -->
@ -360,7 +358,7 @@ This policy setting allows you to configure the Network Location type for networ
<!-- UnidentifiedNetworks_UserPermissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- UnidentifiedNetworks_UserPermissions-Applicability-End -->
<!-- UnidentifiedNetworks_UserPermissions-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -1,7 +1,7 @@
---
title: Notifications Policy CSP
description: Learn more about the Notifications Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- Notifications-Begin -->
# Policy CSP - Notifications
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Notifications-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Notifications-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 01/18/2024
<!-- DisableAccountNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAccountNotifications-Applicability-End -->
<!-- DisableAccountNotifications-OmaUri-Begin -->

34
windows/client-management/mdm/policy-csp-printers.md
View File

@ -1,7 +1,7 @@
---
title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -369,7 +369,7 @@ Determines whether Redirection Guard is enabled for the print spooler.
You can enable this setting to configure the Redirection Guard policy being applied to spooler.
- If you disable or don't configure this policy setting, Redirection Guard will default to being 'enabled'.
- If you disable or don't configure this policy setting, Redirection Guard will default to being 'Enabled'.
- If you enable this setting you may select the following options:
@ -435,7 +435,12 @@ The following are the supported values:
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-OmaUri-End -->
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting controls whether packet level privacy is enabled for RPC for incoming connections.
By default packet level privacy is enabled for RPC for incoming connections.
If you enable or don't configure this policy setting, packet level privacy is enabled for RPC for incoming connections.
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-Description-End -->
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-Editable-Begin -->
@ -452,7 +457,6 @@ The following are the supported values:
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-DFProperties-End -->
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -460,6 +464,11 @@ The following are the supported values:
| Name | Value |
|:--|:--|
| Name | ConfigureRpcAuthnLevelPrivacyEnabled |
| Friendly Name | Configure RPC packet level privacy setting for incoming connections |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | System\CurrentControlSet\Control\Print |
| Registry Value Name | RpcAuthnLevelPrivacyEnabled |
| ADMX File Name | Printing.admx |
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-AdmxBacked-End -->
@ -685,7 +694,16 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
<!-- ConfigureWindowsProtectedPrint-OmaUri-End -->
<!-- ConfigureWindowsProtectedPrint-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
Determines whether Windows protected print is enabled on this computer.
By default, Windows protected print isn't enabled and there aren't any restrictions on the print drivers that can be installed or print functionality.
- If you enable this setting, the computer will operate in Windows protected print mode which only allows printing to printers that support a subset of inbox Windows print drivers.
- If you disable this setting or don't configure it, there aren't any restrictions on the print drivers that can be installed or print functionality.
For more information, please see [insert link to web page with WPP info]
<!-- ConfigureWindowsProtectedPrint-Description-End -->
<!-- ConfigureWindowsProtectedPrint-Editable-Begin -->
@ -702,7 +720,6 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
<!-- ConfigureWindowsProtectedPrint-DFProperties-End -->
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -710,6 +727,11 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
| Name | Value |
|:--|:--|
| Name | ConfigureWindowsProtectedPrint |
| Friendly Name | Configure Windows protected print |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\WPP |
| Registry Value Name | WindowsProtectedPrintGroupPolicyState |
| ADMX File Name | Printing.admx |
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-End -->

203
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -1,7 +1,7 @@
---
title: Privacy Policy CSP
description: Learn more about the Privacy Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2398,207 +2398,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
<!-- LetAppsAccessGazeInput_UserInControlOfTheseApps-End -->
<!-- LetAppsAccessGenerativeAI-Begin -->
## LetAppsAccessGenerativeAI
<!-- LetAppsAccessGenerativeAI-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI-Applicability-End -->
<!-- LetAppsAccessGenerativeAI-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI
```
<!-- LetAppsAccessGenerativeAI-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting specifies whether Windows apps can use generative AI features of Windows.
<!-- LetAppsAccessGenerativeAI-Description-End -->
<!-- LetAppsAccessGenerativeAI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI-Editable-End -->
<!-- LetAppsAccessGenerativeAI-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-2]` |
| Default Value | 0 |
<!-- LetAppsAccessGenerativeAI-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_Enum |
<!-- LetAppsAccessGenerativeAI-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI-Examples-End -->
<!-- LetAppsAccessGenerativeAI-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Begin -->
## LetAppsAccessGenerativeAI_ForceAllowTheseApps
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Applicability-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceAllowTheseApps
```
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Description-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Editable-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_ForceAllowTheseApps_List |
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Examples-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Begin -->
## LetAppsAccessGenerativeAI_ForceDenyTheseApps
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Applicability-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceDenyTheseApps
```
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Description-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Editable-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_ForceDenyTheseApps_List |
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Examples-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Begin -->
## LetAppsAccessGenerativeAI_UserInControlOfTheseApps
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Applicability-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_UserInControlOfTheseApps
```
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the generative AI setting for the listed apps. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Description-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Editable-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_UserInControlOfTheseApps_List |
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Examples-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-End -->
<!-- LetAppsAccessGraphicsCaptureProgrammatic-Begin -->
## LetAppsAccessGraphicsCaptureProgrammatic

98
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -1,7 +1,7 @@
---
title: RemoteDesktopServices Policy CSP
description: Learn more about the RemoteDesktopServices Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -156,7 +156,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockLegacyAuthn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisconnectOnLockLegacyAuthn-Applicability-End -->
<!-- DisconnectOnLockLegacyAuthn-OmaUri-Begin -->
@ -166,7 +166,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockLegacyAuthn-OmaUri-End -->
<!-- DisconnectOnLockLegacyAuthn-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
This policy applies only when using legacy authentication to authenticate to the remote PC. Legacy authentication is limited to username and password, or certificates like smartcards. Legacy authentication doesn't leverage the Microsoft identity platform, such as Microsoft Entra ID. Legacy authentication includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
- If you enable this policy setting, Remote Desktop connections using legacy authentication will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and re-enter their credentials when prompted.
- If you disable or don't configure this policy setting, Remote Desktop connections using legacy authentication will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
<!-- DisconnectOnLockLegacyAuthn-Description-End -->
<!-- DisconnectOnLockLegacyAuthn-Editable-Begin -->
@ -183,7 +190,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockLegacyAuthn-DFProperties-End -->
<!-- DisconnectOnLockLegacyAuthn-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -191,7 +197,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_POLICY |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Disconnect remote session on lock for legacy authentication |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fDisconnectOnLockLegacy |
| ADMX File Name | TerminalServer.admx |
<!-- DisconnectOnLockLegacyAuthn-AdmxBacked-End -->
<!-- DisconnectOnLockLegacyAuthn-Examples-Begin -->
@ -206,7 +217,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-OmaUri-Begin -->
@ -216,7 +227,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockMicrosoftIdentityAuthn-OmaUri-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
This policy applies only when using an identity provider that uses the Microsoft identity platform, such as Microsoft Entra ID, to authenticate to the remote PC. This policy doesn't apply when using Legacy authentication which includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
- If you enable or don't configure this policy setting, Remote Desktop connections using the Microsoft identity platform will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and can use passwordless authentication if configured.
- If you disable this policy setting, Remote Desktop connections using the Microsoft identity platform will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Description-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Editable-Begin -->
@ -233,7 +251,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockMicrosoftIdentityAuthn-DFProperties-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -241,7 +258,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_AAD_POLICY |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Disconnect remote session on lock for Microsoft identity platform authentication |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fDisconnectOnLockMicrosoftIdentity |
| ADMX File Name | TerminalServer.admx |
<!-- DisconnectOnLockMicrosoftIdentityAuthn-AdmxBacked-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Examples-Begin -->
@ -439,7 +461,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitClientToServerClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LimitClientToServerClipboardRedirection-Applicability-End -->
<!-- LimitClientToServerClipboardRedirection-OmaUri-Begin -->
@ -453,7 +475,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitClientToServerClipboardRedirection-OmaUri-End -->
<!-- LimitClientToServerClipboardRedirection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to restrict clipboard data transfers from client to server.
- If you enable this policy setting, you must choose from the following behaviors:
- Disable clipboard transfers from client to server.
- Allow plain text copying from client to server.
- Allow plain text and images copying from client to server.
- Allow plain text, images and Rich Text Format copying from client to server.
- Allow plain text, images, Rich Text Format and HTML copying from client to server.
- If you disable or don't configure this policy setting, users can copy arbitrary contents from client to server if clipboard redirection is enabled.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
<!-- LimitClientToServerClipboardRedirection-Description-End -->
<!-- LimitClientToServerClipboardRedirection-Editable-Begin -->
@ -470,7 +510,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitClientToServerClipboardRedirection-DFProperties-End -->
<!-- LimitClientToServerClipboardRedirection-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -478,7 +517,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Restrict clipboard transfer from client to server |
| Location | Computer and User Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| ADMX File Name | TerminalServer.admx |
<!-- LimitClientToServerClipboardRedirection-AdmxBacked-End -->
<!-- LimitClientToServerClipboardRedirection-Examples-Begin -->
@ -493,7 +536,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitServerToClientClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LimitServerToClientClipboardRedirection-Applicability-End -->
<!-- LimitServerToClientClipboardRedirection-OmaUri-Begin -->
@ -507,7 +550,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitServerToClientClipboardRedirection-OmaUri-End -->
<!-- LimitServerToClientClipboardRedirection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to restrict clipboard data transfers from server to client.
- If you enable this policy setting, you must choose from the following behaviors:
- Disable clipboard transfers from server to client.
- Allow plain text copying from server to client.
- Allow plain text and images copying from server to client.
- Allow plain text, images and Rich Text Format copying from server to client.
- Allow plain text, images, Rich Text Format and HTML copying from server to client.
- If you disable or don't configure this policy setting, users can copy arbitrary contents from server to client if clipboard redirection is enabled.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
<!-- LimitServerToClientClipboardRedirection-Description-End -->
<!-- LimitServerToClientClipboardRedirection-Editable-Begin -->
@ -524,7 +585,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitServerToClientClipboardRedirection-DFProperties-End -->
<!-- LimitServerToClientClipboardRedirection-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -532,7 +592,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Restrict clipboard transfer from server to client |
| Location | Computer and User Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| ADMX File Name | TerminalServer.admx |
<!-- LimitServerToClientClipboardRedirection-AdmxBacked-End -->
<!-- LimitServerToClientClipboardRedirection-Examples-Begin -->

14
windows/client-management/mdm/policy-csp-search.md
View File

@ -1,7 +1,7 @@
---
title: Search Policy CSP
description: Learn more about the Search Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 08/06/2024
<!-- Search-Begin -->
# Policy CSP - Search
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Search-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Search-Editable-End -->
@ -648,7 +646,7 @@ The most restrictive value is `0` to now allow automatic language detection.
<!-- ConfigureSearchOnTaskbarMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSearchOnTaskbarMode-Applicability-End -->
<!-- ConfigureSearchOnTaskbarMode-OmaUri-Begin -->
@ -930,13 +928,13 @@ This policy setting configures whether or not locations on removable drives can
<!-- DoNotUseWebResults-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home.
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search.
- If you enable this policy setting, queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home.
- If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search.
- If you disable this policy setting, queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home.
- If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.
- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search, and if search highlights are shown in the search box and in search home.
- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search.
<!-- DoNotUseWebResults-Description-End -->
<!-- DoNotUseWebResults-Editable-Begin -->

8
windows/client-management/mdm/policy-csp-settingssync.md
View File

@ -1,7 +1,7 @@
---
title: SettingsSync Policy CSP
description: Learn more about the SettingsSync Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- SettingsSync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SettingsSync-Editable-End -->
@ -23,7 +21,7 @@ ms.date: 01/18/2024
<!-- DisableAccessibilitySettingSync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAccessibilitySettingSync-Applicability-End -->
<!-- DisableAccessibilitySettingSync-OmaUri-Begin -->
@ -84,7 +82,7 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
<!-- DisableLanguageSettingSync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableLanguageSettingSync-Applicability-End -->
<!-- DisableLanguageSettingSync-OmaUri-Begin -->

57
windows/client-management/mdm/policy-csp-smartscreen.md
View File

@ -1,7 +1,7 @@
---
title: SmartScreen Policy CSP
description: Learn more about the SmartScreen Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -29,20 +29,11 @@ ms.date: 01/31/2024
<!-- EnableAppInstallControl-OmaUri-End -->
<!-- EnableAppInstallControl-Description-Begin -->
<!-- Description-Source-ADMX -->
App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.
<!-- Description-Source-DDF-Forced -->
Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
- If you enable this setting, you must choose from the following behaviors:
- Turn off app recommendations.
- Show me app recommendations.
- Warn me before installing apps from outside the Store.
- Allow apps from Store only.
- If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet.
> [!NOTE]
> This policy will block installation only while the device is online. To block offline installation too, SmartScreen/PreventOverrideForFilesInShell and SmartScreen/EnableSmartScreenInShell policies should also be enabled. This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
<!-- EnableAppInstallControl-Description-End -->
<!-- EnableAppInstallControl-Editable-Begin -->
@ -110,23 +101,8 @@ App Install Control is a feature of Windows Defender SmartScreen that helps prot
<!-- EnableSmartScreenInShell-OmaUri-End -->
<!-- EnableSmartScreenInShell-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
- Warn and prevent bypass
- Warn.
- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
<!-- Description-Source-DDF-Forced -->
Allows IT Admins to configure SmartScreen for Windows.
<!-- EnableSmartScreenInShell-Description-End -->
<!-- EnableSmartScreenInShell-Editable-Begin -->
@ -188,23 +164,8 @@ Some information is sent to Microsoft about files and programs run on PCs with t
<!-- PreventOverrideForFilesInShell-OmaUri-End -->
<!-- PreventOverrideForFilesInShell-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
- Warn and prevent bypass
- Warn.
- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
<!-- Description-Source-DDF-Forced -->
Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files.
<!-- PreventOverrideForFilesInShell-Description-End -->
<!-- PreventOverrideForFilesInShell-Editable-Begin -->

79
windows/client-management/mdm/policy-csp-speakforme.md Normal file
View File

@ -0,0 +1,79 @@
---
title: SpeakForMe Policy CSP
description: Learn more about the SpeakForMe Area in Policy CSP.
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
<!-- SpeakForMe-Begin -->
# Policy CSP - SpeakForMe
<!-- SpeakForMe-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SpeakForMe-Editable-End -->
<!-- EnableSpeakForMe-Begin -->
## EnableSpeakForMe
<!-- EnableSpeakForMe-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableSpeakForMe-Applicability-End -->
<!-- EnableSpeakForMe-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/SpeakForMe/EnableSpeakForMe
```
<!-- EnableSpeakForMe-OmaUri-End -->
<!-- EnableSpeakForMe-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls whether to allow the creation of personal voices with SpeakForMe Accessibility Windows Application.
- If you enable this policy setting, then user can create their personal voice models.
- If you disable this policy setting, then user can't create their personal voice models with SpeakForMe.
- If you don't configure this policy setting (default), then users can launch the training flow and create their personal voice model through SpeakForMe.
<!-- EnableSpeakForMe-Description-End -->
<!-- EnableSpeakForMe-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableSpeakForMe-Editable-End -->
<!-- EnableSpeakForMe-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableSpeakForMe-DFProperties-End -->
<!-- EnableSpeakForMe-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- EnableSpeakForMe-AllowedValues-End -->
<!-- EnableSpeakForMe-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableSpeakForMe-Examples-End -->
<!-- EnableSpeakForMe-End -->
<!-- SpeakForMe-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- SpeakForMe-CspMoreInfo-End -->
<!-- SpeakForMe-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

27
windows/client-management/mdm/policy-csp-sudo.md
View File

@ -1,7 +1,7 @@
---
title: Sudo Policy CSP
description: Learn more about the Sudo Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 04/10/2024
<!-- Sudo-Begin -->
# Policy CSP - Sudo
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Sudo-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Sudo-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 04/10/2024
<!-- EnableSudo-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableSudo-Applicability-End -->
<!-- EnableSudo-OmaUri-Begin -->
@ -31,7 +29,20 @@ ms.date: 04/10/2024
<!-- EnableSudo-OmaUri-End -->
<!-- EnableSudo-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting controls use of the sudo.exe command line tool.
- If you enable this policy setting, then you may set a maximum allowed mode to run sudo in. This restricts the ways in which users may interact with command-line applications run with sudo. You may pick one of the following modes to allow sudo to run in:
"Disabled": sudo is entirely disabled on this machine. When the user tries to run sudo, sudo will print an error message and exit.
"Force new window": When sudo launches a command line application, it will launch that app in a new console window.
"Disable input": When sudo launches a command line application, it will launch the app in the current console window, but the user won't be able to type input to the command line app. The user may also choose to run sudo in "Force new window" mode.
"Normal": When sudo launches a command line application, it will launch the app in the current console window. The user may also choose to run sudo in "Force new window" or "Disable input" mode.
- If you disable this policy or don't configure it, the user will be able to run sudo.exe normally (after enabling the setting in the Settings app).
<!-- EnableSudo-Description-End -->
<!-- EnableSudo-Editable-Begin -->
@ -65,7 +76,11 @@ ms.date: 04/10/2024
| Name | Value |
|:--|:--|
| Name | EnableSudo |
| Path | Sudo > AT > System |
| Friendly Name | Configure the behavior of the sudo command |
| Location | Computer Configuration |
| Path | System |
| Registry Key Name | Software\Policies\Microsoft\Windows\Sudo |
| ADMX File Name | Sudo.admx |
<!-- EnableSudo-GpMapping-End -->
<!-- EnableSudo-Examples-Begin -->

20
windows/client-management/mdm/policy-csp-system.md
View File

@ -1,7 +1,7 @@
---
title: System Policy CSP
description: Learn more about the System Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 08/06/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- System-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- System-Editable-End -->
@ -431,7 +429,7 @@ This policy setting determines whether Windows is allowed to download fonts and
- If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text.
- If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally installed fonts.
- If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally-installed fonts.
- If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
<!-- AllowFontProviders-Description-End -->
@ -569,7 +567,7 @@ Specifies whether to allow app access to the Location service. Most restricted v
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See <https://go.microsoft.com/fwlink/?linkid=2184944> for more information.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
<!-- AllowMicrosoftManagedDesktopProcessing-Description-End -->
@ -888,7 +886,7 @@ To enable this behavior:
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
If you disable or don't configure this policy setting, devices enrolled to Windows Autopatch won't be able to take advantage of some deployment service features.
If you disable or don't configure this policy setting, devices enrolled to the Windows Update for Business deployment service won't be able to take advantage of some deployment service features.
<!-- AllowWUfBCloudProcessing-Description-End -->
<!-- AllowWUfBCloudProcessing-Editable-Begin -->
@ -1471,7 +1469,7 @@ This policy setting lets you prevent apps and features from working with files o
* Users can't access OneDrive from the OneDrive app and file picker.
* Windows Store apps can't access OneDrive using the WinRT API.
* Packaged Microsoft Store apps can't access OneDrive using the WinRT API.
* OneDrive doesn't appear in the navigation pane in File Explorer.
@ -1739,7 +1737,7 @@ This policy setting controls whether Windows records attempts to connect with th
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Description-Begin -->
<!-- Description-Source-DDF -->
Diagnostic files created when feedback is filed in the Feedback Hub app will always be saved locally. If this policy isn't present or set to false, users will be presented with the option to save locally. The default is to not save locally.
Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy isn't present or set to false, users will be presented with the option to save locally. The default is to not save locally.
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Description-End -->
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Editable-Begin -->
@ -1761,8 +1759,8 @@ Diagnostic files created when feedback is filed in the Feedback Hub app will alw
| Value | Description |
|:--|:--|
| 0 (Default) | False. The Feedback Hub won't always save a local copy of diagnostics that may be created when feedback is submitted. The user will have the option to do so. |
| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when feedback is submitted. |
| 0 (Default) | False. The Feedback Hub won't always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. |
| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. |
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-AllowedValues-End -->
<!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Examples-Begin -->
@ -1777,7 +1775,7 @@ Diagnostic files created when feedback is filed in the Feedback Hub app will alw
<!-- HideUnsupportedHardwareNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- HideUnsupportedHardwareNotifications-Applicability-End -->
<!-- HideUnsupportedHardwareNotifications-OmaUri-Begin -->

36
windows/client-management/mdm/policy-csp-systemservices.md
View File

@ -1,7 +1,7 @@
---
title: SystemServices Policy CSP
description: Learn more about the SystemServices Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 04/10/2024
<!-- SystemServices-Begin -->
# Policy CSP - SystemServices
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- SystemServices-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SystemServices-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 04/10/2024
<!-- ConfigureComputerBrowserServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureComputerBrowserServiceStartupMode-Applicability-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-OmaUri-Begin -->
@ -171,7 +169,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureIISAdminServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureIISAdminServiceStartupMode-Applicability-End -->
<!-- ConfigureIISAdminServiceStartupMode-OmaUri-Begin -->
@ -221,7 +219,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-OmaUri-Begin -->
@ -271,7 +269,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-OmaUri-Begin -->
@ -321,7 +319,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureLxssManagerServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureLxssManagerServiceStartupMode-Applicability-End -->
<!-- ConfigureLxssManagerServiceStartupMode-OmaUri-Begin -->
@ -371,7 +369,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-OmaUri-Begin -->
@ -421,7 +419,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-OmaUri-Begin -->
@ -471,7 +469,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-OmaUri-Begin -->
@ -521,7 +519,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-OmaUri-Begin -->
@ -571,7 +569,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-OmaUri-Begin -->
@ -621,7 +619,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-OmaUri-Begin -->
@ -671,7 +669,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-OmaUri-Begin -->
@ -721,7 +719,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWebManagementServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWebManagementServiceStartupMode-Applicability-End -->
<!-- ConfigureWebManagementServiceStartupMode-OmaUri-Begin -->
@ -771,7 +769,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-OmaUri-Begin -->
@ -821,7 +819,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-OmaUri-Begin -->
@ -871,7 +869,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-tenantrestrictions.md
View File

@ -1,7 +1,7 @@
---
title: TenantRestrictions Policy CSP
description: Learn more about the TenantRestrictions Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -41,9 +41,9 @@ When you enable this setting, compliant applications will be prevented from acce
<https://go.microsoft.com/fwlink/?linkid=2148762>
Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
Before enabling firewall protection, ensure that an App Control for Business policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding App Control for Business policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
For details about setting up WDAC with tenant restrictions, see <https://go.microsoft.com/fwlink/?linkid=2155230>
For details about setting up App Control with tenant restrictions, see <https://go.microsoft.com/fwlink/?linkid=2155230>
<!-- ConfigureTenantRestrictions-Description-End -->
<!-- ConfigureTenantRestrictions-Editable-Begin -->

413
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,18 +9,12 @@ ms.date: 09/11/2024
<!-- Update-Begin -->
# Policy CSP - Update
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Update-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Update-Editable-End -->
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
- [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
- [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate)
- [AllowOptionalContent](#allowoptionalcontent)
@ -61,7 +55,8 @@ Update CSP policies are listed below based on the group policy area:
- [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates)
- [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod)
- [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates)
- [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [ConfigureFeatureUpdateUninstallPeriod](#configurefeatureupdateuninstallperiod)
- [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours)
- [ScheduledInstallDay](#scheduledinstallday)
@ -76,6 +71,7 @@ Update CSP policies are listed below based on the group policy area:
- [SetEDURestart](#setedurestart)
- [UpdateNotificationLevel](#updatenotificationlevel)
- [Legacy Policies](#legacy-policies)
- [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
- [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays)
- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates)
- [AutoRestartNotificationSchedule](#autorestartnotificationschedule)
@ -99,188 +95,6 @@ Update CSP policies are listed below based on the group policy area:
- [ScheduleRestartWarning](#schedulerestartwarning)
- [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable)
## Windows Insider Preview
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Begin -->
### AlwaysAutoRebootAtScheduledTimeMinutes
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
```
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[15-180]` |
| Default Value | 15 |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AlwaysAutoRebootAtScheduledTime |
| Friendly Name | Always automatically restart at the scheduled time |
| Element Name | work (minutes) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
| ADMX File Name | WindowsUpdate.admx |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
```
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-Begin -->
<!-- Description-Source-DDF -->
When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured.
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForQualityUpdates
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
```
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-Begin -->
<!-- Description-Source-DDF -->
When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured.
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-End -->
## Manage updates offered from Windows Update
<!-- AllowNonMicrosoftSignedUpdate-Begin -->
@ -2518,8 +2332,8 @@ Number of days before feature updates are installed on devices automatically reg
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Name | ComplianceDeadlineForFU |
| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Deadline (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2578,7 +2392,7 @@ Number of days before quality updates are installed on devices automatically reg
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Deadline (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2633,7 +2447,7 @@ Minimum number of days from update installation until restarts occur automatical
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Grace period (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2687,8 +2501,8 @@ Minimum number of days from update installation until restarts occur automatical
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Name | ComplianceDeadlineForFU |
| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Grace Period (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2702,31 +2516,47 @@ Minimum number of days from update installation until restarts occur automatical
<!-- ConfigureDeadlineGracePeriodForFeatureUpdates-End -->
<!-- ConfigureDeadlineNoAutoReboot-Begin -->
### ConfigureDeadlineNoAutoReboot
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
<!-- ConfigureDeadlineNoAutoReboot-Applicability-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- ConfigureDeadlineNoAutoReboot-Applicability-End -->
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoReboot-OmaUri-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
```
<!-- ConfigureDeadlineNoAutoReboot-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoReboot-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured.
<!-- ConfigureDeadlineNoAutoReboot-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy lets you specify the number of days before feature updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
<!-- ConfigureDeadlineNoAutoReboot-Editable-Begin -->
Set deadlines for feature updates and quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
Set a grace period for feature updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
You can set the device to delay restarting until both the deadline and grace period have expired.
If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
This policy will override the following policies:
1. Specify deadline before auto restart for update installation
1. Specify Engaged restart transition and notification schedule for updates.
1. Always automatically restart at the scheduled time
1. Configure Automatic Updates.
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoReboot-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoReboot-DFProperties-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
@ -2734,36 +2564,115 @@ When enabled, devices won't automatically restart outside of active hours until
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoReboot-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoReboot-AllowedValues-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoReboot-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoReboot-GpMapping-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Name | ComplianceDeadlineForFU |
| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Don't auto-restart until end of grace period. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| ADMX File Name | WindowsUpdate.admx |
<!-- ConfigureDeadlineNoAutoReboot-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoReboot-Examples-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoReboot-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoReboot-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForQualityUpdates
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
```
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy lets you specify the number of days before quality updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
Set deadlines for quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
Set a grace period for quality updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
You can set the device to delay restarting until both the deadline and grace period have expired.
If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
This policy will override the following policies:
1. Specify deadline before auto restart for update installation
1. Specify Engaged restart transition and notification schedule for updates.
1. Always automatically restart at the scheduled time
1. Configure Automatic Updates.
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Don't auto-restart until end of grace period. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| ADMX File Name | WindowsUpdate.admx |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-End -->
<!-- ConfigureFeatureUpdateUninstallPeriod-Begin -->
### ConfigureFeatureUpdateUninstallPeriod
@ -3647,6 +3556,68 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
## Legacy Policies
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Begin -->
### AlwaysAutoRebootAtScheduledTimeMinutes
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
```
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[15-180]` |
| Default Value | 15 |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AlwaysAutoRebootAtScheduledTime |
| Friendly Name | Always automatically restart at the scheduled time |
| Element Name | work (minutes) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Legacy Policies |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
| ADMX File Name | WindowsUpdate.admx |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-End -->
<!-- AutoRestartDeadlinePeriodInDays-Begin -->
### AutoRestartDeadlinePeriodInDays

28
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -1,7 +1,7 @@
---
title: UserRights Policy CSP
description: Learn more about the UserRights Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- UserRights-Begin -->
# Policy CSP - UserRights
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- UserRights-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see [Well-known SID structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
@ -258,7 +256,7 @@ This user right allows a process to impersonate any user without authentication.
<!-- AdjustMemoryQuotasForProcess-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AdjustMemoryQuotasForProcess-Applicability-End -->
<!-- AdjustMemoryQuotasForProcess-OmaUri-Begin -->
@ -359,7 +357,7 @@ This user right determines which users can log on to the computer.
<!-- AllowLogOnThroughRemoteDesktop-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowLogOnThroughRemoteDesktop-Applicability-End -->
<!-- AllowLogOnThroughRemoteDesktop-OmaUri-Begin -->
@ -460,7 +458,7 @@ This user right determines which users can bypass file, directory, registry, and
<!-- BypassTraverseChecking-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- BypassTraverseChecking-Applicability-End -->
<!-- BypassTraverseChecking-OmaUri-Begin -->
@ -567,7 +565,7 @@ This user right determines which users and groups can change the time and date o
<!-- ChangeTimeZone-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ChangeTimeZone-Applicability-End -->
<!-- ChangeTimeZone-OmaUri-Begin -->
@ -1027,7 +1025,7 @@ This security setting determines which service accounts are prevented from regis
<!-- DenyLogOnAsBatchJob-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DenyLogOnAsBatchJob-Applicability-End -->
<!-- DenyLogOnAsBatchJob-OmaUri-Begin -->
@ -1076,7 +1074,7 @@ This security setting determines which accounts are prevented from being able to
<!-- DenyLogOnAsService-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DenyLogOnAsService-Applicability-End -->
<!-- DenyLogOnAsService-OmaUri-Begin -->
@ -1336,7 +1334,7 @@ Assigning this user right to a user allows programs running on behalf of that us
<!-- IncreaseProcessWorkingSet-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- IncreaseProcessWorkingSet-Applicability-End -->
<!-- IncreaseProcessWorkingSet-OmaUri-Begin -->
@ -1543,7 +1541,7 @@ This user right determines which accounts can use a process to keep data in phys
<!-- LogOnAsBatchJob-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LogOnAsBatchJob-Applicability-End -->
<!-- LogOnAsBatchJob-OmaUri-Begin -->
@ -1592,7 +1590,7 @@ This security setting allows a user to be logged-on by means of a batch-queue fa
<!-- LogOnAsService-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LogOnAsService-Applicability-End -->
<!-- LogOnAsService-OmaUri-Begin -->
@ -1889,7 +1887,7 @@ This user right determines which users can use performance monitoring tools to m
<!-- ProfileSystemPerformance-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ProfileSystemPerformance-Applicability-End -->
<!-- ProfileSystemPerformance-OmaUri-Begin -->
@ -1987,7 +1985,7 @@ This user right determines which users are allowed to shut down a computer from
<!-- ReplaceProcessLevelToken-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ReplaceProcessLevelToken-Applicability-End -->
<!-- ReplaceProcessLevelToken-OmaUri-Begin -->
@ -2088,7 +2086,7 @@ This user right determines which users can bypass file, directory, registry, and
<!-- ShutDownTheSystem-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ShutDownTheSystem-Applicability-End -->
<!-- ShutDownTheSystem-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -1,7 +1,7 @@
---
title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/31/2024
<!-- WebThreatDefense-Begin -->
# Policy CSP - WebThreatDefense
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WebThreatDefense-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
@ -23,7 +21,7 @@ ms.date: 01/31/2024
<!-- AutomaticDataCollection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AutomaticDataCollection-Applicability-End -->
<!-- AutomaticDataCollection-OmaUri-Begin -->

73
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -21,7 +21,7 @@ ms.date: 09/11/2024
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
@ -31,14 +31,12 @@ ms.date: 09/11/2024
<!-- DisableAIDataAnalysis-OmaUri-End -->
<!-- DisableAIDataAnalysis-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to determine whether end users have the option to allow snapshots to be saved on their PCs.
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
- If disabled, end users will have a choice to save snapshots of their screen on their PC and then use Recall to find things they've seen.
- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
- If the policy is enabled, end users won't be able to save snapshots on their PC.
- If the policy isn't configured, end users may or may not be able to save snapshots on their PC-depending on other policy configurations.
- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
<!-- DisableAIDataAnalysis-Description-End -->
<!-- DisableAIDataAnalysis-Editable-Begin -->
@ -70,7 +68,12 @@ This policy setting allows you to determine whether end users have the option to
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
| Friendly Name | Turn off Saving Snapshots for Windows |
| Location | User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | DisableAIDataAnalysis |
| ADMX File Name | WindowsCopilot.admx |
<!-- DisableAIDataAnalysis-GpMapping-End -->
<!-- DisableAIDataAnalysis-Examples-Begin -->
@ -203,6 +206,58 @@ This policy setting allows you to control whether Image Creator functionality is
<!-- DisableImageCreator-End -->
<!-- SetCopilotHardwareKey-Begin -->
## SetCopilotHardwareKey
<!-- SetCopilotHardwareKey-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetCopilotHardwareKey-Applicability-End -->
<!-- SetCopilotHardwareKey-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetCopilotHardwareKey
```
<!-- SetCopilotHardwareKey-OmaUri-End -->
<!-- SetCopilotHardwareKey-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
- If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
- If the policy isn't configured, Copilot will open if it's available in that country or region.
<!-- SetCopilotHardwareKey-Description-End -->
<!-- SetCopilotHardwareKey-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetCopilotHardwareKey-Editable-End -->
<!-- SetCopilotHardwareKey-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- SetCopilotHardwareKey-DFProperties-End -->
<!-- SetCopilotHardwareKey-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetCopilotHardwareKey |
| Path | WindowsCopilot > AT > WindowsComponents > WindowsCopilot |
<!-- SetCopilotHardwareKey-GpMapping-End -->
<!-- SetCopilotHardwareKey-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetCopilotHardwareKey-Examples-End -->
<!-- SetCopilotHardwareKey-End -->
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot

10
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -1,7 +1,7 @@
---
title: WindowsLogon Policy CSP
description: Learn more about the WindowsLogon Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -380,11 +380,11 @@ This policy setting allows you to control whether users see the first sign-in an
<!-- EnableMPRNotifications-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the configuration under which winlogon sends MPR notifications in the system.
This policy controls whether the user's password is included in the content of MPR notifications sent by winlogon in the system.
- If you enable this setting or don't configure it, winlogon sends MPR notifications if a credential manager is configured.
- If you disable this setting or don't configure it, winlogon sends MPR notifications with empty password fields of the user's authentication info.
- If you disable this setting, winlogon doesn't send MPR notifications.
- If you enable this setting, winlogon sends MPR notifications containing the user's password in the authentication info.
<!-- EnableMPRNotifications-Description-End -->
<!-- EnableMPRNotifications-Editable-Begin -->
@ -415,7 +415,7 @@ This policy controls the configuration under which winlogon sends MPR notificati
| Name | Value |
|:--|:--|
| Name | EnableMPRNotifications |
| Friendly Name | Enable MPR notifications for the system |
| Friendly Name | Configure the transmission of the user's password in the content of MPR notifications sent by winlogon. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |

52
windows/client-management/mdm/policy-csp-windowssandbox.md
View File

@ -1,7 +1,7 @@
---
title: WindowsSandbox Policy CSP
description: Learn more about the WindowsSandbox Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- WindowsSandbox-Begin -->
# Policy CSP - WindowsSandbox
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsSandbox-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsSandbox-Editable-End -->
@ -149,7 +147,7 @@ This policy setting enables or disables clipboard sharing with the sandbox.
<!-- AllowMappedFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowMappedFolders-Applicability-End -->
<!-- AllowMappedFolders-OmaUri-Begin -->
@ -159,8 +157,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
<!-- AllowMappedFolders-OmaUri-End -->
<!-- AllowMappedFolders-Description-Begin -->
<!-- Description-Source-DDF -->
Allow mapping folders into Windows Sandbox.
<!-- Description-Source-ADMX -->
This policy setting enables or disables mapping folders into sandbox.
- If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
- If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
- If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
- If you don't configure this policy setting, mapped folders will be enabled.
Note that there may be security implications of exposing folders from the host into the container.
<!-- AllowMappedFolders-Description-End -->
<!-- AllowMappedFolders-Editable-Begin -->
@ -184,7 +192,12 @@ Allow mapping folders into Windows Sandbox.
| Name | Value |
|:--|:--|
| Name | AllowMappedFolders |
| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
| Friendly Name | Allow mapping folders into Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowMappedFolders |
| ADMX File Name | WindowsSandbox.admx |
<!-- AllowMappedFolders-GpMapping-End -->
<!-- AllowMappedFolders-Examples-Begin -->
@ -457,7 +470,7 @@ Note that there may be security implications of exposing host video input to the
<!-- AllowWriteToMappedFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowWriteToMappedFolders-Applicability-End -->
<!-- AllowWriteToMappedFolders-OmaUri-Begin -->
@ -467,8 +480,18 @@ Note that there may be security implications of exposing host video input to the
<!-- AllowWriteToMappedFolders-OmaUri-End -->
<!-- AllowWriteToMappedFolders-Description-Begin -->
<!-- Description-Source-DDF -->
Allow Sandbox to write to mapped folders.
<!-- Description-Source-ADMX -->
This policy setting enables or disables mapping folders into sandbox.
- If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
- If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
- If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
- If you don't configure this policy setting, mapped folders will be enabled.
Note that there may be security implications of exposing folders from the host into the container.
<!-- AllowWriteToMappedFolders-Description-End -->
<!-- AllowWriteToMappedFolders-Editable-Begin -->
@ -492,8 +515,13 @@ Allow Sandbox to write to mapped folders.
| Name | Value |
|:--|:--|
| Name | AllowWriteToMappedFolders |
| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
| Name | AllowMappedFolders |
| Friendly Name | Allow mapping folders into Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowMappedFolders |
| ADMX File Name | WindowsSandbox.admx |
<!-- AllowWriteToMappedFolders-GpMapping-End -->
<!-- AllowWriteToMappedFolders-Examples-Begin -->

16
windows/client-management/mdm/toc.yml
View File

@ -48,12 +48,12 @@ items:
- name: Protocol
expanded: true
items:
- name: Overview
href: ../declared-configuration.md
- name: Discovery
href: ../declared-configuration-discovery.md
- name: Enrollment
href: ../declared-configuration-enrollment.md
- name: Overview
href: ../declared-configuration.md
- name: Discovery
href: ../declared-configuration-discovery.md
- name: Enrollment
href: ../declared-configuration-enrollment.md
- name: Extensibility
href: ../declared-configuration-extensibility.md
- name: Resource access
@ -387,7 +387,7 @@ items:
href: policy-csp-authentication.md
- name: Autoplay
href: policy-csp-autoplay.md
- name: BitLocker
- name: Bitlocker
href: policy-csp-bitlocker.md
- name: BITS
href: policy-csp-bits.md
@ -537,6 +537,8 @@ items:
href: policy-csp-settingssync.md
- name: SmartScreen
href: policy-csp-smartscreen.md
- name: SpeakForMe
href: policy-csp-speakforme.md
- name: Speech
href: policy-csp-speech.md
- name: Start

29
windows/configuration/assigned-access/overview.md
View File

@ -298,35 +298,6 @@ To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWO
The Breakout Sequence of <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is <kbd>CTRL</kbd> + <kbd>ALT</kbd> + <kbd>A</kbd>, where <kbd>CTRL</kbd> + <kbd>ALT</kbd> are the modifiers, and <kbd>A</kbd> is the key value. To learn more, see [Create an Assigned Access configuration XML file](configuration-file.md).
### Keyboard shortcuts
The following keyboard shortcuts are blocked for the user accounts with Assigned Access:
| Keyboard shortcut | Action |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------|
| <kbd>Ctrl</kbd> + <kbd>Shift</kbd> + <kbd>Esc</kbd> | Open Task Manager |
| <kbd>WIN</kbd> + <kbd>,</kbd> (comma) | Temporarily peek at the desktop |
| <kbd>WIN</kbd> + <kbd>A</kbd> | Open Action center |
| <kbd>WIN</kbd> + <kbd>Alt</kbd> + <kbd> D</kbd> | Display and hide the date and time on the desktop |
| <kbd>WIN</kbd> + <kbd>Ctrl</kbd> + <kbd> F</kbd> | Find computer objects in Active Directory |
| <kbd>WIN</kbd> + <kbd>D</kbd> | Display and hide the desktop |
| <kbd>WIN</kbd> + <kbd>E</kbd> | Open File Explorer |
| <kbd>WIN</kbd> + <kbd>F</kbd> | Open Feedback Hub |
| <kbd>WIN</kbd> + <kbd>G</kbd> | Open Game bar when a game is open |
| <kbd>WIN</kbd> + <kbd>I</kbd> | Open Settings |
| <kbd>WIN</kbd> + <kbd>J</kbd> | Set focus to a Windows tip when one is available |
| <kbd>WIN</kbd> + <kbd>O</kbd> | Lock device orientation |
| <kbd>WIN</kbd> + <kbd>Q</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>R</kbd> | Open the Run dialog box |
| <kbd>WIN</kbd> + <kbd>S</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>Shift</kbd> + <kbd> C</kbd> | Open Cortana in listening mode |
| <kbd>WIN</kbd> + <kbd>X</kbd> | Open the Quick Link menu |
| <kbd>LaunchApp1</kbd> | Open the app that is assigned to this key |
| <kbd>LaunchApp2</kbd> | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator |
| <kbd>LaunchMail</kbd> | Open the default mail client |
For information on how to customize keyboard shortcuts, see [Assigned Access recommendations](recommendations.md#keyboard-shortcuts).
## Remove Assigned Access
Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.

29
windows/configuration/assigned-access/policy-settings.md
View File

@ -112,3 +112,32 @@ The deny list is used to prevent the user from accessing the apps, which are cur
1. The default rule is to allow all users to launch the desktop programs signed with *Microsoft Certificate* for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
1. There's a predefined inbox desktop app deny list for the Assigned Access user account, which is updated based on the *desktop app allow list* that you defined in the Assigned Access configuration
1. Enterprise-defined allowed desktop apps are added in the AppLocker allow list
## Keyboard shortcuts
The following keyboard shortcuts are blocked for the user accounts with Assigned Access:
| Keyboard shortcut | Action |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------|
| <kbd>Ctrl</kbd> + <kbd>Shift</kbd> + <kbd>Esc</kbd> | Open Task Manager |
| <kbd>WIN</kbd> + <kbd>,</kbd> (comma) | Temporarily peek at the desktop |
| <kbd>WIN</kbd> + <kbd>A</kbd> | Open Action center |
| <kbd>WIN</kbd> + <kbd>Alt</kbd> + <kbd> D</kbd> | Display and hide the date and time on the desktop |
| <kbd>WIN</kbd> + <kbd>Ctrl</kbd> + <kbd> F</kbd> | Find computer objects in Active Directory |
| <kbd>WIN</kbd> + <kbd>D</kbd> | Display and hide the desktop |
| <kbd>WIN</kbd> + <kbd>E</kbd> | Open File Explorer |
| <kbd>WIN</kbd> + <kbd>F</kbd> | Open Feedback Hub |
| <kbd>WIN</kbd> + <kbd>G</kbd> | Open Game bar when a game is open |
| <kbd>WIN</kbd> + <kbd>I</kbd> | Open Settings |
| <kbd>WIN</kbd> + <kbd>J</kbd> | Set focus to a Windows tip when one is available |
| <kbd>WIN</kbd> + <kbd>O</kbd> | Lock device orientation |
| <kbd>WIN</kbd> + <kbd>Q</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>R</kbd> | Open the Run dialog box |
| <kbd>WIN</kbd> + <kbd>S</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>Shift</kbd> + <kbd> C</kbd> | Open Cortana in listening mode |
| <kbd>WIN</kbd> + <kbd>X</kbd> | Open the Quick Link menu |
| <kbd>LaunchApp1</kbd> | Open the app that is assigned to this key |
| <kbd>LaunchApp2</kbd> | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator |
| <kbd>LaunchMail</kbd> | Open the default mail client |
For information on how to customize keyboard shortcuts, see [Assigned Access recommendations](recommendations.md#keyboard-shortcuts).

2
windows/configuration/provisioning-packages/provision-pcs-with-apps.md
View File

@ -12,7 +12,7 @@ You can install multiple Universal Windows Platform (UWP) apps and Windows deskt
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#add-a-windows-desktop-application-using-advanced-editor).
> [!IMPORTANT]
> If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise. Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to add Microsoft 365 Apps to Windows devices with Microsoft Intune.](/intune/apps-add-office365)
> If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise. Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to add Microsoft 365 Apps to Windows devices with Microsoft Intune.](/mem/intune/apps/apps-add-office365)
## Settings for UWP apps

2
windows/deployment/TOC.yml
View File

@ -317,7 +317,7 @@ items:
href: configure-a-pxe-server-to-load-windows-pe.md
- name: Windows Deployment Services (WDS) boot.wim support
href: wds-boot-support.md
- name: Windows ADK for Windows 10 scenarios for IT Pros
- name: Windows ADK for Windows scenarios for IT Pros
href: windows-adk-scenarios-for-it-pros.md
- name: User State Migration Tool (USMT) technical reference
items:

38
windows/deployment/do/TOC.yml
View File

@ -38,13 +38,37 @@
- name: MCC for Enterprise and Education Overview
href: mcc-ent-edu-overview.md
- name: Requirements
href: mcc-enterprise-prerequisites.md
- name: Deploy Microsoft Connected Cache
href: mcc-enterprise-deploy.md
- name: Update or uninstall MCC
href: mcc-enterprise-update-uninstall.md
- name: Appendix
href: mcc-enterprise-appendix.md
href: mcc-ent-prerequisites.md
- name: How-to guides
items:
- name: Create MCC resource and cache node
href: mcc-ent-create-resource-and-cache.md
- name: Configure, provision and deploy cache node
items:
- name: Deploy MCC to Linux
href: mcc-ent-deploy-to-linux.md
- name: Deploy MCC to Windows
href: mcc-ent-deploy-to-windows.md
- name: Using CLI to create and manage cache nodes
href: mcc-ent-manage-cache-using-cli.md
- name: Verify cache node functionality
href: mcc-ent-verify-cache-node.md
- name: Monitor cache node
href: mcc-ent-monitoring.md
- name: Update MCC
href: mcc-ent-update-cache-node.md
- name: Uninstall cache node
href: mcc-ent-uninstall-cache-node.md
- name: Resources
items:
- name: Frequent Asked Questions
href: mcc-ent-faq.yml
- name: Support and troubleshooting
href: mcc-ent-support-and-troubleshooting.md
- name: MCC for Enterprise and Education (early preview)
href: mcc-ent-private-preview.md
- name: Release notes
href: mcc-ent-release-notes.md
- name: MCC for ISPs
items:
- name: MCC for ISPs Overview

1
windows/deployment/do/delivery-optimization-endpoints.md
View File

@ -32,6 +32,7 @@ Use the table below to reference any particular content types or services endpoi
| *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net | HTTP / 80 | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Both |
| *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Both |
| *.statics.teams.cdn.office.net | HTTP / 80 </br> HTTPs / 443 | Teams | Future support is planned for peering and Connected Cache | TBD |
| *.res.cdn.office.net | HTTP / 80 </br> HTTPs / 443 | Outlook | Future support is planned for peering and Connected Cache | TBD |
| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Both |
| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Both |
| *.do.dsp.mp.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Connected Cache Managed in Azure |

BIN
windows/deployment/do/images/mcc_ent_publicpreview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 257 KiB

266
windows/deployment/do/mcc-ent-create-resource-and-cache.md Normal file
View File

@ -0,0 +1,266 @@
---
title: Create and configure MCC cache nodes
description: Details on how to create and configure Microsoft Connected Cache for Enterprise and Education (MCC) cache nodes.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
manager: naengler
ms.author: nidos
author: doshnid
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ Supported Linux distributions
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 06/03/2024
---
# Create Microsoft Connected Cache Azure resource and cache nodes
This article outlines how to create and configure your Microsoft Connected Cache for Enterprise and Education (MCC) cache nodes. The creation and configuration of your cache node takes place in Azure. The deployment of your cache node requires downloading and running an OS-specific provisioning package on your host machine.
## Prerequisites
1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a free-of-charge service hosted in Azure. You'll need a pay-as-you-go Azure subscription in order to onboard to our service. To create a subscription, go to [pay-as-you-go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/).
2. **Hardware to host MCC**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
For more information on sizing and OS requirements, see [the prerequisites for using MCC](mcc-ent-prerequisites.md).
## Create MCC Azure resource
# [Azure portal](#tab/portal)
1. In the [Azure portal](https://portal.azure.com), select **Create a Resource** and search for "Microsoft Connected Cache for Enterprise and Education".
<!--
:::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
-->
1. Select the Microsoft Connected Cache for Enterprise resource. When prompted, choose the subscription, resource group, and location for the resource. Then enter a name for the resource and select Review + Create.
1. After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select Create.
1. The creation of the resource might take a few minutes. After a successful creation, you'll see a Deployment complete page as below. Select Go to resource to create cache nodes.
# [Azure CLI](#tab/cli)
### Prerequisites
* An Azure CLI environment:
* Use the Bash environment in [Azure Cloud Shell](/azure/cloud-shell/get-started/classic).
* Or, if you prefer to run CLI reference commands locally, [install the Azure CLI](/cli/azure/install-azure-cli)
* Sign in to the Azure CLI by using the [az login](/cli/azure/reference-index#az-login) command.
* Run [az version](/cli/azure/reference-index#az-version) to find the version and dependent libraries that are installed. To upgrade to the latest version, run [az upgrade](/cli/azure/reference-index#az-upgrade).
* Install Azure CLI extension **mcc** by following the instructions [here](/cli/azure/azure-cli-extensions-overview#how-to-install-extensions).
* Resource group under which an MCC resource can be created. Use the [az group create](/cli/azure/group#az-group-create) command to create a new Resource group if you don't already have one.
#### Create MCC Azure resource
Replace the following placeholders with your own information:
* *\<resource-group>*: An existing resource group in your subscription.
* *\<mcc-resource-name>*: A name for your Microsoft Connected Cache for Enterprise resource.
* *\<location>*: The Azure region where your Microsoft Connected Cache will be located.
```azurecli-interactive
az mcc ent resource create --mcc-resource-name <mymccresource> --resource-group <myrg> --location <region>
```
---
## Create MCC cache node
# [Azure portal](#tab/portal)
1. Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise resource that you created.<br>
1. Under Cache Node Management, select on Cache Nodes and then on + Create Cache Node.<br>
1. Provide a name for your cache node and select the host OS you plan to deploy the cache node on and select create. Note, cache node names have to be unique under the Microsoft Connected Cache resource.
<!--
:::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
-->
The creation of cache node might take a few minutes. Select Refresh to see your recently created cache node.
Once the cache node state changes to **Not Configured**, you can now configure your cache node.<br>
To know more about different cache node state, see [Cache node states](#cache-node-states).
# [Azure CLI](#tab/cli)
Use the following command to create a new cache node if you don't already have one.
Replace the following placeholders with your own information:
* *\<resource-group>*: An existing resource group in your subscription.
* *\<mcc-resource-name>*: A name for your Microsoft Connected Cache for Enterprise resource.
* *\<cache-node-name>*: The Azure region where your Microsoft Connected Cache will be located.
* *\<host-os>*: The OS on which cache node will be provisioned.
Accepted values: windows, linux
```azurecli-interactive
az mcc ent node create --cache-node-name <mycachenode> --mcc-resource-name <mymccresource> --resource-group <myrg> --host-os <linux>
```
<br>
>[!NOTE]
>To ensure cache node has been created successfully, please run the following command before continuing with cache node configuration.
>```azurecli-interactive
>az mcc ent node show --cache-node-name <mycachenode> --mcc-resource-name <mymccresource> --resource-group <myrg>
>```
>In the output look for cacheNodeState. If ***cacheNodeState = Not Configured***, you can continue with cache node configuration.
>If ***cacheNodeState = Registration in Progress***, then the cache node is still in process of being created. Please wait for a minute or two more and run the command again.
>To know more about different cache node state, see [Cache node states](#cache-node-states).
---
## Configure MCC cache node
# [Azure portal](#tab/portal)
Enter required values to configure your cache node. To learn more about the definitions of each field, review the [Configuration](#general-configuration-fields) fields at the bottom of this article.
Don't forget to select save after adding configuration information.
# [Azure CLI](#tab/cli)
### Configure Linux MCC
Use the following command to configure cache node for deployment to a **Linux** host machine.
Replace the following placeholders with your own information:
* *\<resource-group>*: An existing resource group in your subscription.
* *\<mcc-resource-name>*: A name for your Microsoft Connected Cache for Enterprise resource.
* *\<cache-node-name>*: The Azure region where your Microsoft Connected Cache will be located.
* *\<physical-path>*: The cache drive path. You can add upto nine cache drives.
* *\<size-in-gb>*: The size of cache drive. Must be at least 50 Gb.
* *\<proxy>*: If proxy needs to be enabled or not.<br>
Accepted values: enabled, disabled<br>
Proxy should be set to enabled if the cache node will need to pass through a network proxy to download content. The provided proxy will also be used during deployment of the MCC cache node to your host machine.
* *\<proxy-host>*: The proxy host name or ip address. Required if proxy is set to enabled.
* *\<proxy-port>*: Proxy port number. Required if proxy is set to enabled.
* *\<auto-update-ring>*: Update ring the cache node should have.<br>
Accepted values: slow, fast.<br>
If update ring is set to slow, you must provide the day of week, time of day and week of month the cache node should be updated.
* *\<auto-update-day>*: The day of the week cache node should be updated. Week starts from Monday.<br>
Accepted values: 1,2,3,4,5,6,7
* *\<auto-update-time>*: The time of day cache node should be updated in 24 hour format (hh:mm)
* *\<auto-update-week>*: The week of month cache node should be updated.<br>
Accepted values: 1,2,3,4
```azurecli-interactive
az mcc ent node update --cache-node-name <mycachenode> --mcc-resource-name <mymccresource> --resource-group <myrg>
--cache-drive "[{physical-path:</physical/path>,size-in-gb:<size of cache drive>},{</physical/path>,size-in-gb:<size of cache drive>}...]"> --proxy <enabled> --proxy-host <"proxy host name"> --proxy-port <proxy port> --auto-update-day <day of week> --auto-update-time <time of day> --auto-update-week <week of month> --auto-update-ring <update ring>
```
<br>
<br>
### Configure Windows MCC
Use the following command to configure cache node for deployment to a **Windows** host machine.
Replace the following placeholders with your own information:
* *\<resource-group>*: An existing resource group in your subscription.
* *\<mcc-resource-name>*: A name for your Microsoft Connected Cache for Enterprise resource.
* *\<cache-node-name>*: The Azure region where your Microsoft Connected Cache will be located.
* *\<physical-path>*: The cache drive path.<br>
Accepted value: /var/mcc
* *\<size-in-gb>*: The size of cache drive. Must be at least 50 Gb.
* *\<proxy>*: If proxy needs to be enabled or not.<br>
Accepted values: enabled, disabled<br>
Proxy should be set to enabled if the cache node will need to pass through a network proxy to download content. The provided proxy will also be used during deployment of the MCC cache node to your host machine.
* *\<proxy-host>*: The proxy host name or ip address. Required if proxy is set to enabled.
* *\<proxy-port>*: Proxy port number. Required if proxy is set to enabled.
* *\<auto-update-ring>*: Update ring the cache node should have.<br>
Accepted values: slow, fast.<br>
If update ring is set to slow, you must provide the day of week, time of day and week of month the cache node should be updated.
* *\<auto-update-day>*: The day of the week cache node should be updated. Week starts from Monday.<br>
Accepted values: 1,2,3,4,5,6,7
* *\<auto-update-time>*: The time of day cache node should be updated in 24 hour format (hh:mm)
* *\<auto-update-week>*: The week of month cache node should be updated.<br>
Accepted values: 1,2,3,4
```azurecli-interactive
az mcc ent node update --cache-node-name <mycachenode> --mcc-resource-name <mymccresource> --resource-group <myrg>
--cache-drive "[{physical-path:/var/mcc,size-in-gb:<size of cache drive>}]" --proxy <enabled> --proxy-host <"proxy host name"> --proxy-port <proxy port> --auto-update-day <day of week> --auto-update-time <time of day> --auto-update-week <week of month> --auto-update-ring <update ring>
```
---
## Next step
### [Azure portal](#tab/portal)
To deploy the cache node to a **Windows** host machine, see
>[!div class="nextstepaction"]
>[Deploy cache node to Windows](mcc-ent-deploy-to-windows.md)
To deploy the cache node to a **Linux** host machine, see
>[!div class="nextstepaction"]
>[Deploy cache node to Linux](mcc-ent-deploy-to-linux.md)
### [Azure CLI](#tab/cli)
To deploy cache nodes using Azure CLI, see
>[!div class="nextstepaction"]
>[Manage cache nodes using CLI](mcc-ent-manage-cache-using-CLI.md)
---
<br>
<br>
### General configuration fields
| Field Name |Expected Value |Description|
|---|---|---|
|**Cache node name** | Alphanumeric string that contains no spaces| The name of the cache node. You may choose names based on location such as "Seattle-1". This name must be unique and can't be changed later |
|**Host OS** | Linux or Windows| This is the operating system of the host machine that the cache node will be deployed to.|
### Storage fields
##### Cache node for Linux
>[!Important]
>All cache drives must have full read/write permissions set or the cache node will not function. For example, in a terminal you can run: sudo chmod 777 /path/to/cachedrivefolder
<br>
| Field Name |Expected Value |Description|
|---|---|---|
|**Cache drive folder**| File path string |Up to nine drive folders accessible by the cache node can be configured for each cache node to configure cache storage. Enter the location of the folder in Ubuntu where the external physical drive is mounted. For example: /dev/sda3/. Each cache drive should have read/write permissions configured. Ensure your disks are mounted and visit Attach a data disk to a Linux VM for more information.|
|**Cache drive size in gigabytes**| Integer in GB| Set the size of each drive configured for the cache node. Minimum cache drive size is 50 GB.|
##### Cache node for Windows
| Field Name |Expected Value |Description|
|---|---|---|
|**Cache drive folder**| File path string /var/mcc| This is the folder path where content is cached. You can't change the folder path.|
|**Cache drive size in gigabytes**| Integer in GB| Set the size of each drive configured for the cache node. Minimum cache drive size is 50 GB. |
#### Proxy settings
<br>
You can choose to enable or disable proxy settings on your cache node. Proxy should be set to enabled if the cache node will need to pass through a network proxy to download content. The provided proxy will also be used during deployment of the MCC cache node to your host machine.
<br>
>[!IMPORTANT]
>Enabling or disabling the proxy settings after your cache node has been deployed will require running the provisioning script on the host machine again. This will ensure that proxy changes are in effect on the cache node.
| Field Name |Expected Value |Description|
|---|---|---|
|**Proxy host name**| String or number| Proxy host name or address|
|**Proxy port**| Integer| Proxy port
<br>
##### Cache node states
| Cache node state |Description|
|---|---|
|Creation in progress| Cache node is being created|
|Registration in progress| Cache node is being registered|
|Not configured| Cache node is ready to be configured|
|Not provisioned| Cache node is ready to be provisioned on host machine|
|Healthy| Cache node phoning home|
|Unhealthy| Cache node has stopped phoning home|
|Never phoned home| Cache node has provisioned but has never phoned home|

60
windows/deployment/do/mcc-ent-deploy-to-linux.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Deploy MCC cache software to a Linux host machine
description: Details on how to deploy Microsoft Connected Cache for Enterprise and Education (MCC) cache software to a Linux host machine.
author: chrisjlin
ms.author: lichris
manager: naengler
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
ms.date: 09/27/2024
appliesto:
- ✅ Supported Linux distributions
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
---
# Deploy Microsoft Connected Cache caching software to a Linux host machine
This article describes how to deploy Microsoft Connected Cache for Enterprise and Education (MCC) caching software to a Linux host machine.
Before deploying MCC to a Linux host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your MCC Azure resource and cache node](mcc-ent-create-resource-and-cache.md).
## Steps to deploy MCC cache node to Linux
# [Azure portal](#tab/portal)
1. Within the Azure portal, navigate to the "Provisioning" tab of your cache node and copy the provisioning command.
1. Download the provisioning package using the button at the top of the Cache Node Configuration page and extract the package onto the host machine.
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Run the provisioning command on the host machine.
# [Azure CLI](#tab/cli)
To deploy a cache node programmatically, you'll need to use Azure CLI to get the cache node's provisioning details and then run the provisioning command on the host machine.
1. To get the cache node's provisioning details, use `az mcc ent node get-provisioning-details`
```azurecli-interactive
az mcc ent node get-provisioning-details --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg
```
1. Save the resulting output. These values will be passed as parameters within the provisioning command.
1. Download and extract the [MCC provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine.
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Replace the values in the following provisioning command before running it on the host machine.
```azurepowershell-interactive
sudo ./provisionmcc.sh customerid="enter mccResourceId here" cachenodeid=" enter cacheNodeId here " customerkey=" enter customerKey here " registrationkey="enter registrationKey here" drivepathandsizeingb="enter physicalPath value,enter sizeInGb value here" shoulduseproxy="enter true if present, enter false if not" proxyurl=http://enter proxy hostname:enter port
```
## Next step
> [!div class="nextstepaction"]
> [Verify cache node functionality](mcc-ent-verify-cache-node.md)
## Related content
- [Deploy to a Windows host machine](mcc-ent-deploy-to-windows.md)
- [Uninstall MCC](mcc-ent-uninstall-cache-node.md)

70
windows/deployment/do/mcc-ent-deploy-to-windows.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Deploy MCC cache software to a Windows host machine
description: Details on how to deploy Microsoft Connected Cache for Enterprise and Education (MCC) cache software to a Windows host machine.
author: chrisjlin
ms.author: lichris
manager: naengler
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
ms.date: 09/27/2024
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
---
# Deploy Microsoft Connected Cache caching software to a Windows host machine
This article describes how to deploy Microsoft Connected Cache for Enterprise and Education (MCC) caching software to a Windows host machine.
Deploying MCC to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [Local User Account](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d) as the MCC runtime account. This prevents tampering with the MCC container and the cached content on the host machine.
Before deploying MCC to a Windows host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your MCC Azure resource](mcc-ent-create-resource-and-cache.md).
## Steps to deploy MCC cache node to Windows
# [Azure portal](#tab/portal)
1. Within the Azure portal, navigate to the "Provisioning" tab of your cache node and copy the provisioning command.
1. Download the provisioning package using the button at the top of the Cache Node Configuration page and extract the package onto the host machine.
1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
1. Set the Execution Policy to "Unrestricted" to allow the provisioning scripts to run.
1. Create a `$User` environment variable containing the username of the account you intend to designate as the MCC runtime account. For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
If you're using a Local User account as the MCC runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`.
1. Run the provisioning command on the host machine.
# [Azure CLI](#tab/cli)
To deploy a cache node programmatically, you'll need to use Azure CLI to get the cache node's provisioning details and then run the provisioning command on the host machine.
1. To get the cache node's provisioning details, use `az mcc ent node get-provisioning-details`.
```azurecli-interactive
az mcc ent node get-provisioning-details --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg
```
1. Save the resulting output. These values will be passed as parameters within the provisioning command.
1. Download and extract the [MCC provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine.
1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
1. Set the Execution Policy to "Unrestricted" to allow the provisioning scripts to run.
1. Create a `$User` environment variable containing the username of the account you intend to designate as the MCC runtime account. For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
If you're using a Local User account as the MCC runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`.
1. Replace the values in the following provisioning command before running it on the host machine. Note that `-mccLocalAccountCredential $myLocalAccountCredential` is only needed if you are using a Local User account as the MCC runtime account.
```powershell-interactive
./provisionmcconwsl.ps1 -installationFolder c:\mccwsl01 -customerid [enter mccResourceId here] -cachenodeid [enter cacheNodeId here] -customerkey [enter customerKey here] -registrationkey [enter registration key] -cacheDrives "/var/mcc,enter drive size" -shouldUseProxy [enter true if present, enter false if not] -proxyurl "http://[enter proxy host name]:[enter port]" -mccRunTimeAccount $User -mccLocalAccountCredential $myLocalAccountCredential
```
## Next step
> [!div class="nextstepaction"]
> [Verify cache node functionality](mcc-ent-verify-cache-node.md)
## Related content
- [Deploy to a Linux host machine](mcc-ent-deploy-to-linux.md)
- [Uninstall MCC](mcc-ent-uninstall-cache-node.md)

92
windows/deployment/do/mcc-ent-edu-overview.md
View File

@ -1,6 +1,6 @@
---
title: MCC for Enterprise and Education Overview
description: Overview, supported scenarios, and content types for Microsoft Connected Cache (MCC) for Enterprise and Education.
title: MCC Overview
description: Overview, supported scenarios, and content types for Microsoft Connected Cache for Enterprise and Education (MCC).
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
@ -13,61 +13,83 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
ms.date: 05/23/2024
ms.date: 05/09/2023
---
# Microsoft Connected Cache for Enterprise and Education Overview
> [!IMPORTANT]
>
> - Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> - As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache (MCC) for Enterprise and Education (preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be managed from an Azure portal or through Azure CLI and can be deployed to as many Windows devices, Linux devices, or VMs as needed. Managed Windows devices can be configured to download cloud content from a Connected Cache server by applying the client policy using management tools such as Intune.<br>
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For information about Microsoft Connected Cache in Configuration Manager (generally available, starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
Microsoft Connected Cache (MCC) for Enterprise and Education (preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For information about Microsoft Connected Cache in Configuration Manager (generally available, starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
## Supported scenarios
Microsoft Connected Cache deployed directly to Windows relies on [Windows Subsystem for Linux] (windows/wsl/about) and either a [Group Managed Service Account](/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/getting-started-with-group-managed-service-accounts), local user account, or domain user account are required to run WSL. WSL needs to run in a user context and any user, even if the currently logged-in user, could be used to run WSL and Microsoft Connected Cache.<br>
Connected Cache (early preview) supports the following scenarios:
### Supported scenarios and deployments
- Pre-provisioning of devices using Windows Autopilot
- Cloud-only devices, such as Intune-enrolled devices
Microsoft Connected Cache for Enterprise and Education (preview) is intended to support the following content delivery scenarios:<br>
* Pre-provisioning of devices using Windows Autopilot<br>
* Co-managed clients that get monthly update and Win32 apps from Microsoft Intune. For more information, see Support for Intune Win32 apps.<br>
* Cloud-only managed devices, such as Intune-enrolled devices without the Configuration Manager client, that get monthly update and Win32 apps from Microsoft Intune. For more information, see Support for cloud-managed devices.<br>
## Supported content types
Microsoft Connected Cache is built for flexible deployments to support a number of enterprise configurations:
##### Branch office
Customers may have globally dispersed offices that meet the following parameters:
* 10 50 Windows Clients
* No dedicated server hardware
* Internet bandwidth is great to limited (satellite internet)
* Possibly intermittent connectivity
<br>
To support the branch the branch office scenario, customers can deploy to a Windows 11 client (see Host machine requirements) device.
##### Large Enterprise
Customers may have office spaces, data centers, or Azure deployments that meet the following parameters:
* 100's or 1,000's of Windows devices (client or server).
* Existing hardware Decommissioned DP, file server, cloud print server
* Azure VMs and Azure Virtual Desktop
* Internet bandwidth is great to limited (T1)
### Supported content types
When clients download cloud-managed content, they use Delivery Optimization from the cache server installed on a Windows server or VM. Cloud-managed content includes the following types:
* Windows updates: Windows feature and quality updates
* Office Click-to-Run apps: Microsoft 365 Apps and updates
* Client apps: Intune, store apps, and updates
* Endpoint protection: Windows Defender definition updates
- Windows updates: Windows feature and quality updates
- Office Click-to-Run apps: Microsoft 365 Apps and updates
- Client apps: Intune, store apps, and updates
- Endpoint protection: Windows Defender definition updates
For the full list of content endpoints that Microsoft Connected Cache for Enterprise and Education supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md).<br>
For the full list of content endpoints that Microsoft Connected Cache for Enterprise and Education supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md).
### Hardware or VM Requirements
See [Host machine requirements](mcc-ent-prerequisites.md) for complete details.
|Deployment Scenarios| Download Speed Range | Download Speeds and Content Volume Delivered in 8 Hours | VM/Hardware Recommendation |
|---|---|---|---|
|Branch Office|< 1 Gbps Peak| 500 Mbps - 1,800 GB </br></br> 250 Mbps - 900 GB </br></br> 100 Mbps - 360 GB </br></br> 50 Mbps - 180 GB| 4 Cores </br></br> Up to 8 GB Memory with 4 GB of Free </br></br> 100 GB free disk space|
|Small to Medium Enterprises/Autopilot Provisioning Center - 50 - 500 devices in a single location|1 - 5 Gbps| 5 Gbps - 18,000 GB </br></br>3 Gbps - 10,800 GB </br></br>1 Gbps - 3,600 GB| 8 Cores </br></br> Up to 16 GB Memory with 4 GB of Free </br></br> 500 GB free disk space|
|Medium to Large Enterprises/Autopilot Provisioning Center - 500 - 5,000 devices|5 - 101 Gbps Peak| 9 Gbps - 32,400 GB </br></br> 5 Gbps - 18,000 GB </br></br>3 Gbps - 10,800 GB| 16 Cores</br></br> 32 GB Memory with 4 GB of Free </br></br> 2 200-500 GB SSDs|
<br>
## How it works
MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It's built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC is a Linux IoT Edge module running on the Windows Host OS.
The following diagram displays an overview of how MCC functions:<br>
1. The Azure Management Portal is used to create MCC nodes.
1. The MCC container is deployed and provisioned to the server using the installer provided in the portal.
1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server.
1. Microsoft end-user devices make range requests for content from the MCC node.
1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Subsequent requests from end-user devices for content will now come from cache.
1. If the MCC node is unavailable, the client pulls content from CDN to ensure uninterrupted service for your subscribers.
:::image type="content" source="./images/mcc_ent_publicpreview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/mcc_ent_publicpreview.png":::
The following diagram displays an overview of how MCC functions:
:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png":::
1. The Azure management portal for Microsoft Connected Cache or CLI are used to create cache nodes, configure deployments, including unauthenticated proxy settings.
1. Prepare Windows or Linux devices. If deploying to Windows devices, prepare accounts - gMSA, local user account, domain account. Deploy to Windows or Linux devices using scripts.
1. The Microsoft Connected Cache container is deployed to the device using Azure IoT Edge container management services and the cache server begins reporting status and metrics to Delivery Optimization services.
1. The DOCacheHost setting is configured using Intune or other MDM, DHCP custom option, or registry key.
1. Devices request content from the cache server, the cache server forwards the requests to the CDN and fills the cache, the cache server delivers the content requested to the devices, and uses Peer to Peer (depending on DO Download mode settings) for all DO content.
1. Devices can fallback to CDN if cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN )settings to prefer the local cache server.
Customers can view data regarding Microsoft Connected Cache downloads on management portal and Windows Update for Business reports
## IoT Edge
Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
## Next step
1. Installs and updates MCC on your edge device.
1. Maintains Azure IoT Edge security standards on your edge device.
1. Ensures that MCC is always running.
1. Reports MCC health and usage to the cloud for remote monitoring.
For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge).
>[!div class="nextstepaction"]
>[Create MCC Azure resources](mcc-ent-create-resource-and-cache.md)

72
windows/deployment/do/mcc-ent-faq.yml Normal file
View File

@ -0,0 +1,72 @@
### YamlMime:FAQ
metadata:
title: MCC Frequently Asked Questions
description: The following article is a list of frequently asked questions for Microsoft Connected Cache for Enterprise (MCC).
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: faq
ms.author: nidos
author: doshnid
ms.reviewer: mstewart
manager: aaroncz
ms.collection:
- highpri
- tier3
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/03/2024
title: Microsoft Connected Cache for Enterprise Frequently Asked Questions
summary: |
Frequently asked questions about Microsoft Connected Cache for Enterprise
sections:
- name: Ignored
questions:
- question: Is this product a free service?
answer: Yes. Microsoft Connected Cache is a free service.
- question: Is there a nondisclosure agreement to sign?
answer: No, a nondisclosure agreement isn't required.
- question: What are the prerequisites and hardware requirements?
answer: |
- [Azure pay-as-you-go subscription](https://azure.microsoft.com/offers/ms-azr-0003p/).
- [Hardware to host Microsoft Connected Cache](mcc-ent-edu-overview.md)
- [Host machine requirements](mcc-ent-prerequisites.md)
- question: What host OS do I need to deploy MCC?
answer: You can use Linux or Windows OS. Depending on the OS, the provisioning script and certain provisioning steps are different.
- question: What content is cached by Microsoft Connected Cache?
answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints](delivery-optimization-endpoints.md).
- question: Do I need to provide hardware BareMetal server or a virtual machine (VM)?
answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software.
- question: Can we use hard drives instead of SSDs?
answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance.
- question: Where should we install Microsoft Connected Cache?
answer: You are in control of your hardware and you can pick the location based on your traffic and end clients. You can choose the location where you have your routers or where you have dense traffic or any other parameters.
- question: How can I set up a gMSA account?
answer: For more information about gMSA accounts, see [Learn how to provision a Group Managed Service Account on a Domain Controller](/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#create-group-managed-service-accounts). Make sure that your gMSA has been granted permissions to "Log on as batch job" within the host machine's [local security policies](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings).
- question: How can I set up a local account?
answer: For more information, see [Learn how to provision a Local User Account](https://support.microsoft.com/topic/104dc19f-6430-4b49-6a2b-e4dbd1dcdf32). Make sure that your gMSA has been granted permissions to "Log on as batch job" within the host machine's [local security policies](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings).
- question: Where can I monitor cache node usage?
answer: You can monitor your cache node usage on Azure portal. For more information, see [Monitor cache node usage Info on Reporting Capabilities](mcc-ent-monitoring.md).
- question: Does Microsoft Connected Cache support Xbox or Microsoft Teams content?
answer: Currently, Microsoft Connected Cache doesn't support Xbox or Microsoft Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available!
- question: How does Microsoft Connected Cache populate its content? Can I precache content?
answer: Microsoft Connected Cache is a cold cache warmed by client requests at the byte range level so your clients only request the content they need. The client requests content and that is what fills the cache which means there's no cache fill necessary. "Preseeding" can be achieved but use of update rings. A test ring or early adopter ring can be used to fill the cache and all subsequent requests by other clients will come from cache.
- question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache?
answer: Once a request for said content is made, NGINX looks at the cache control headers from the original acquisition. If that content is expired, NGINX continues to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content is in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx starts to delete content based on its own algorithm, probably some combination of least recently used.
- question: Is it possible to not update the Microsoft Connected Cache software or delay update longer than the timeline provided in the updates configuration?
answer: No. It's important to keep the Microsoft Connected Cache software up to date, especially when it comes to security issues. Microsoft validates updates prior to releasing Enterprises Connected Cache updates and will only release updates when it's necessary to keep customers secure or to ensure the continued successful operation of Connected Cache nodes for customers.
- question: How do I set up CLI?
answer: For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
- question: How do I install MCC extension?
answer: For more information, see [Install the Microsoft Connected Cache extension](mcc-ent-install-extension.md).
- question: What do I do if I have to set up or change existing proxy?
answer: You can enable proxy and provide proxy information on Azure portal or use the CLI. Don't forget to rerun the provisioning script after making any proxy changes. For more information, see [Set up or change existing proxy](mcc-ent-proxy.md).
- question: How do we set up Microsoft Connected Cache if we support multiple countries or regions?
answer: Microsoft Connected Cache isn't a service that has dependency on a specific Azure region, and there isn't personal or organizational identifiable information stored in the resource that necessitates data residency. The three regions that the Connected Cache resource can be deployed to are (Europe) North Europe, (Asia Pacific) Korea Central, and (US) West US.
- question: Should I use a gMSA, local user, or domain account to deploy Microsoft Connected Cache to Windows?
answer: There are pros and cons to the account options available to customers. We anticipate that security and manageability are top priories for customers. Microsoft provides guidance on both Active Directory and Microsoft Entra-based service accounts ([Introduction to Active Directory service accounts - Choose the right type of service account](/entra/architecture/service-accounts-on-premises#types-of-on-premises-service-accounts)) and user-based service accounts ([Secure user-based service accounts in Active Directory)](/entra/architecture/service-accounts-user-on-premises#assess-on-premises-user-account-security)).
- question: Does the user have to be logged using the account that installed Microsoft Connected Cache on Windows or Linux?
answer: No. As part of the installation on Windows a scheduled task is created using the account used to install Connected Cache. Regardless of which user is logged in or not logged in, the schedule task remains running. On Linux Connected Cache is installed by the user and remains running regardless of which user is logged in to the OS.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, see [Troubleshooting issues for Microsoft Connected Cache for Enterprise and Education](mcc-ent-support-and-troubleshooting.md). If you still need more support, you can contact customer support.

209
windows/deployment/do/mcc-ent-manage-cache-using-cli.md Normal file
View File

@ -0,0 +1,209 @@
---
title: Manage MCC cache nodes using CLI
description: Details on how to manage Microsoft Connected Cache for Enterprise (MCC) cache nodes via Azure CLI commands.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
manager: aaroncz
ms.author: nidos
author: doshnid
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 06/03/2024
---
# Manage cache nodes using CLI
<br>
This article outlines how to create, configure, and deploy Microsoft Connected Cache for Enterprise (MCC) cache nodes using Azure CLI.
## Prerequisites:
1. **Install Azure CLI**: [How to install the Azure CLI](/cli/azure/install-azure-cli)
1. **Install MCC extension**: Install MCC extension via the command below
```azurecli-interactive
az extension add --name mcc
```
To learn more about installting extensions, visit [Install the MCC extension.](/cli/azure/azure-cli-extensions-overview#how-to-install-extensions)
<br>
<br>
### 1. Create a Resource group
The first step is to create a resource group if you don't already have one.
An Azure resource group is a logical container into which Azure resources are deployed and managed.
To create a resource group, use `az group create`. You can find more details on this CLI command [here](/cli/azure/group#az-group-create).
<br>
```azurecli-interactive
az group create --name myrg --location westus
```
Once the resource group is created, you'll need to create a Microsoft Connected Cache for Enterprise resource.
### 2. Create an MCC Azure resource
An MCC Azure resource is a top-level Azure resource under which cache nodes can be created.
To create an MCC Azure resource, use `az mcc ent resource create`
```azurecli-interactive
az mcc ent resource create --mcc-resource-name mymccresource --resource-group myrg
```
<br>
>[!IMPORTANT]
>In the output, look for operationStatus. **operationStatus = Succeeded** indicates that our services have successfully started creating MCC resource.
<br>
The next step is to create a cache node under this resource.
### 3. Create a cache node
To create a cache node, use `az mcc ent node create`
```azurecli-interactive
az mcc ent node create --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg --host-os <linux or windows>
```
<br>
>[!IMPORTANT]
>In the output, look for operationStatus. **operationStatus = Succeeded** indicates that our services have successfully started creating cache node.
<br>
### 4. Confirm cache node creation
Before you can start configuring your cache node, you need to confirm that the cache node was successfully created.
To confirm cache node creation, use `az mcc ent node show`
<br>
```azurecli-interactive
az mcc ent node show --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg
```
>[!IMPORTANT]
>In the output look for cacheNodeState. If **cacheNodeState = Not Configured**, you can continue with cache node configuration.
>If **cacheNodeState = Registration in Progress**, then the cache node is still in process of being created. Please wait for a minute or two more and run the command again.
<br>
Once successful cache node creation is confirmed, you can proceed to configure the cache node.
### 5. Configure cache node
To configure your cache node, use `az mcc ent node update`
The below example configures a Linux cache node with proxy enabled:
```azurecli-interactive
az mcc ent node update --cache-node-name <mycachenode> --mcc-resource-name <mymccresource> --resource-group <myrg>
--cache-drive "[{physical-path:</physical/path>,size-in-gb:<size of cache drive>},{</physical/path>,size-in-gb:<size of cache drive>}...]"> --proxy <enabled> --proxy-host <"proxy host name"> --proxy-port <proxy port> --auto-update-day <day of week> --auto-update-time <time of day> --auto-update-week <week of month> --auto-update-ring <update ring>
```
>[!Note]
>* For a cache node that is to be deployed on Windows host OS, the physical path of the cache drive <u>must</u> be **/var/mcc**.<br>
>* In the output, look for operationStatus. **operationStatus = Succeeded** indicates that our services have successfully updated the cache node. You will also see that cacheNodeState will show "Not Provisioned". <br>
>* Please save values for <u>physicalPath, sizeInGb, proxyPort, proxyHostName</u> as these values will be needed to construct the provisioning script.
<br>
### 6. Get provisioning details for the cache node
After successfully configuring the cache node, the next step is to deploy the cache node to a host machine. To deploy the cache node, you'll need to create a provisioning script with relevant information.
To get the relevant information for provisioning script, use `az mcc ent node get-provisioning-details`
```azurecli-interactive
az mcc ent node get-provisioning-details --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg
```
>[!IMPORTANT]
>* Save the resulting values for cacheNodeId, customerKey, mccResourceId, registrationKey. These GUIDs are needed to create the provisioning script.
>* In the output look for cacheNodeState. If **cacheNodeState = Not Provisioned**, you can continue with cache node provisioning.
>* If **cacheNodeState = Not Configured**, then the cache node has not been configured. Please configure the cache node before provisioning.
### Example script:
Below is a pseudocode example of how to script bulk creation and configuration of an MCC Azure resource and multiple MCC cache nodes.
<!--# [Bash](#tab/bash)
:::code language="azurecli" source="~/azure_cli_scripts/azure-cli/create-azure-resources-at-scale/bash/create-azure-resources-at-scale.sh" id="step4":::
In your console output, are you missing the last row in your CSV file? This can be caused by a missing line continuation character after the last line. Add a blank line at the end of your CSV file to fix the issue.
# [PowerShell](#tab/powershell)
:::code language="azurecli" source="~/azure_cli_scripts/azure-cli/create-azure-resources-at-scale/powershell/create-azure-resources-at-scale.ps1" id="step4":::
-->
# [PowerShell](#tab/powershell)
```powershell
#Define variables
$mccResourceName = "myMCCResource"
$cacheNodeName = "demo-node"
$cacheNodeOperatingSystem = "Windows"
$resourceGroup = "myRG"
$resourceLocation = "westus"
$cacheNodesToCreate = 2
$proxyHost = "myProxy.com"
$proxyPort = "8080"
$waitTime = 3
#Create MCC Az resource
az mcc ent resource create --mcc-resource-name $mccResourceName --location $resourceLocation --resource-group $resourceGroup
#Loop through $cacheNodesToCreate iterations
for ($cacheNodeNumber = 1; $cacheNodeNumber -le $cacheNodesToCreate; $cacheNodeNumber++) {
$iteratedCacheNodeName = $cacheNodeName + "-" + $cacheNodeNumber
#Create cache node
az mcc ent node create --cache-node-name $iteratedCacheNodeName --mcc-resource-name $mccResourceName --host-os $cacheNodeOperatingSystem --resource-group $resourceGroup
#Get cache node state
$cacheNodeState = $(az mcc ent node show --cache-node-name $iteratedCacheNodeName --mcc-resource-name $mccResourceName --resource-group $resourceGroup --query "cacheNodeState") | ConvertFrom-Json
$howLong = 0
#Wait until cache node state returns "Not Configured"
while ($cacheNodeState -ne "Not Configured") {
Write-Output "Waiting for cache node creation to complete...$howLong seconds"
Start-Sleep -Seconds $waitTime
$howLong += $waitTime
$cacheNodeState = $(az mcc ent node show --cache-node-name $iteratedCacheNodeName --mcc-resource-name $mccResourceName --resource-group $resourceGroup --query "cacheNodeState") | ConvertFrom-Json
}
#Configure cache node
az mcc ent node update --cache-node-name $iteratedCacheNodeName --mcc-resource-name $mccResourceName --resource-group $resourceGroup --cache-drive "[{physical-path:/var/mcc,size-in-gb:50}]" --proxy enabled --proxy-host $proxyHost --proxy-port $proxyPort
}
```
## Next step
To deploy the cache node to a **Windows** host machine, see
>[!div class="nextstepaction"]
>[Deploy cache node to Windows](mcc-ent-deploy-to-windows.md)
To deploy the cache node to a **Linux** host machine, see
>[!div class="nextstepaction"]
>[Deploy cache node to Linux](mcc-ent-deploy-to-linux.md)

61
windows/deployment/do/mcc-ent-monitoring.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Monitor usage of MCC cache nodes
description: Details on how to monitor the usage of Microsoft Connected Cache for Enterprise (MCC) cache nodes.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
manager: naengler
ms.author: lichris
author: chrisjlin
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ Supported Linux distributions
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 09/04/2024
---
# Monitor Microsoft Connected Cache cache node usage
Tracking the status and performance of your MCC cache node is essential to making sure that you're getting the most out of the service.
<!-- Add standard metrics
Add scenarios for creating custom metrics -->
## Cache node summary
The Cache Node Summary box on your Azure portal
| Metric | Description |
| --- | --- |
| Healthy nodes | The MCC service will periodically request heartbeat messages from your MCC node to determine if it's functioning as expected. |
| Unhealthy nodes | If the cache node doesn't respond, it is labeled as unhealthy. |
| Max in | The maximum egress (in Mb/sec.) that your node has pulled in at any given time. This statistic isn't dependent on the time filter near the charts. |
| Max out | The minimum egress (in Mb/sec.) that your node has pushed out at any given time. |
| Average in | The average ingress (in Mb/sec.) that your node has pulled in over its lifetime. This statistic isn't dependent on the time filter near the charts. |
| Average out | The average egress (in Mb/sec.) that your node has pushed out over its lifetime. |
| Cache efficiency | The percentage of all requests that your MCC node receives that are ultimately delivered by your MCC node. An effective node is generally expected to have an efficiency >95%. |
## Charts
### Filters
- Will only filter the data shown in the two charts, scalable from 1 hour to 30 days
- Can view data by individual cache nodes or the average of all your active MCC nodes.
### Outbound traffic
- The egress (in Mb/sec) that your MCC node is pushing out at specific time intervals
### Volume by Content Type
- The volume of content that your MCC cache node is distributing, broken down by the hostname used to download said content
## Additional metrics
### Custom metrics
- Navigate to the "Metrics" tab in the left-hand toolbar
- Configure chart as desired using the provided metrics
<!-- ### Windows Update for Business (WUfB) reports -->

72
windows/deployment/do/mcc-ent-prerequisites.md Normal file
View File

@ -0,0 +1,72 @@
---
title: MCC prerequisites
description: Details of prerequisites and recommendations for using Microsoft Connected Cache for Enterprise and Education (MCC).
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: lichris
author: chrisjlin
manager: naengler
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
ms.date: 09/27/2024
---
# Microsoft Connected Cache for Enterprise and Education Requirements
This article details the requirements and recommendations for using Microsoft Connected Cache for Enterprise and Education (MCC).
## Licensing requirements
- **Valid Azure subscription**: To use the Microsoft Connected Cache for Enterprise and Education (MCC) service, you'll need a valid Azure subscription that can be used to provision the necessary [Azure resources](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management).
If you don't have an Azure subscription already, you can create an Azure [pay-as-you-go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
The Azure resources used for MCC will be free to you during this public preview.
- **E3/E5 or A3/A5 license**: Your organization must have one of the following license subscriptions for each device that downloads content from an MCC cache node.
- [Windows Enterprise E3 or E5](/windows/whats-new/windows-licensing#windows-11-enterprise), included in [Microsoft 365 F3, E3, or E5](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing?msockid=32c407b43d5968050f2b13443c746916)
- Windows Education A3 or A5, included in [Microsoft 365 A3 or A5](https://www.microsoft.com/education/products/microsoft-365?msockid=32c407b43d5968050f2b13443c746916#Education-plans)
## Cache node host machine requirements
### General requirements
- Any previous installations of MCC must be [uninstalled](mcc-ent-uninstall-cache-node.md) before installing the latest version of MCC.
- [These listed endpoints](delivery-optimization-endpoints.md) must be reachable by the host machine.
- The host machine must have no other services / applications utilizing port 80 (for example, ConfigManager or Distribution Point).
- The host machine must have at least 4 GB of free memory.
### Additional requirements for Windows host machines
- The Windows host machine must be using Windows 11 or Windows Server 2022 with the Latest Cumulative Update (LCU) applied.
- Windows 11 must have [OS Build 22631.3296](https://support.microsoft.com/topic/march-12-2024-kb5035853-os-builds-22621-3296-and-22631-3296-a69ac07f-e893-4d16-bbe1-554b7d9dd39b) or later
- Windows Server 2022 must have [OS Build 20348.2227](https://support.microsoft.com/topic/january-9-2024-kb5034129-os-build-20348-2227-6958a36f-efaf-4ef5-a576-c5931072a89a) or later
- The Windows host machine must support nested virtualization.
- The Windows host machine must have [WSL2 installed](/windows/wsl/install#install-wsl-command).
### Additional requirements for Linux host machines
- The Linux host machine must be using one of the following Operating Systems:
- Ubuntu 20.04
- Red Hat Enterprise Linux (RHEL) 8.* or 9.*
- If using RHEL, the default container engine (Podman) must be replaced with [Moby](https://github.com/moby/moby#readme)
### Networking recommendations for host machines
- Multiple network interface cards (NICs) on a single MCC instance aren't supported.
- 1 Gbps NIC is the minimum speed recommended but any NIC is supported.
- The NIC and BIOS should support SR-IOV for best performance.
### Host machine sizing recommendations
| Component | Branch Office / Small Enterprise | Large Enterprise |
| --- | --- | --- |
| OS| Windows Server 2022 <br> Windows 11 (Pro or Enterprise) | Same |
|NIC | 1 Gbps | 5 Gbps |
|Disk | SSD <br>1 drive <br>50 GB each |SSD <br>1 drive <br>200 GB each |
|Memory | 4 GB | 8 GB |
|Cores | 4 | 8 |

26
windows/deployment/do/mcc-ent-private-preview.md Normal file
View File

@ -0,0 +1,26 @@
---
title: MCC Private Preview
description: Details on Microsoft Connected Cache for Enterprise (MCC) Private Preview
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
manager: naengler
ms.author: lichris
author: chrisjlin
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 06/03/2024
---
# Microsoft Connected Cache for Enterprise and Education (MCC) Private Preview
If you participated in the MCC early preview, thank you for your collaboration and feedback.
To continue using MCC, we strongly recommend that you upgrade your existing cache nodes to the Public Preview release. Cache nodes created and deployed during early preview should still function but can no longer be managed or monitored remotely via the MCC Azure service.
As such, we strongly recommend you [recreate your existing resources in Azure](mcc-ent-create-resource-and-cache.md) and then [redeploy the MCC caching software to your host machines](mcc-ent-deploy-to-windows.md) using the latest OS-specific installer.
## Next step
> [!div class="nextstepaction"]
> [View documentation for MCC Public Preview](mcc-ent-edu-overview.md)

40
windows/deployment/do/mcc-ent-release-notes.md Normal file
View File

@ -0,0 +1,40 @@
---
title: MCC Release Notes
description: Release Notes for Microsoft Connected Cache for Enterprise and Education (MCC).
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: lichris
author: chrisjlin
manager: naengler
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ Supported Linux distributions
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
ms.date: 09/27/2024
---
# Release Notes for Microsoft Connected Cache for Enterprise and Education (MCC)
This article contains details about the latest releases of MCC. Since MCC is a Preview service, some releases may contain breaking changes that will be highlighted as such.
## Release v0.1.0 (Public Preview launch)
- Released on **10/17/2024**
- Contains breaking changes
- Contains service changes
- Contains client changes
- Affects Linux, Windows host machines
### Changenotes
- Added new "Outbound egress" and "Volume by Content type" monitoring charts to Azure portal user interface
- Added ability to create custom monitoring charts under the Metrics tab in the Azure portal user interface
- Added support for creating both Windows-hosted and Linux-hosted cache nodes under the same MCC Azure resource
- Added Azure CLI support for programmatic creation and management of MCC Azure resources and cache nodes
- Added support for unauthenticated proxy and cloud proxy integration
- Added ability to set each cache node's Update Ring to govern cadence of MCC container updates
## Related content
- [Overview of MCC](mcc-ent-edu-overview.md)

73
windows/deployment/do/mcc-ent-support-and-troubleshooting.md Normal file
View File

@ -0,0 +1,73 @@
---
title: MCC support and troubleshooting
description: Details on how to troubleshoot and seek support for Microsoft Connected Cache for Enterprise (MCC).
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
manager: naengler
ms.author: lichris
author: chrisjlin
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ Supported Linux distributions
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 09/27/2024
---
# Troubleshoot Microsoft Connected Cache for Enterprise and Education (MCC)
This article contains instructions on how to troubleshoot different issues you may encounter while using MCC. These issues are categorized by the task in which they may be encountered. For example, this next section covers troubleshooting [MCC Azure resource creation](mcc-ent-create-resource-and-cache.md).
## Steps to obtain an Azure subscription ID
<!--Using include file, get-azure-subscription.md, do/mcc-isp.md for shared content-->
[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
## Troubleshooting Azure resource creation
MCC Azure resource creation can be initiated using either the Azure portal or the Azure CLI command set. If you're encountering an error during resource creation, check that you have the necessary RPaaS permissions and have filled out all required fields.
## Troubleshooting cache node issue
If you are facing issues with your cache node, it could be due to cache node being on the early preview version of MCC. Cache nodes belonging to early preview version will be under MCC resource that will have 'early preview' in its name. Please delete these cache nodes and associated MCC resource and create a new MCC resource on the new version.
For detailed instructions on creating MCC resource, see [Create MCC Azure resources](mcc-ent-create-resource-and-cache.md)
## Troubleshooting cache node deployment
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
## Troubleshooting cache node monitoring
TODO: Add introduction sentence(s)
[Include a sentence or two to explain only what is needed to complete the procedure.]
TODO: Add ordered list of procedure steps
1. Step 1
1. Step 2
1. Step 3
<!-- 5. Next step/Related content------------------------------------------------------------------------
Optional: You have two options for manually curated links in this pattern: Next step and Related content. You don't have to use either, but don't use both.
- For Next step, provide one link to the next step in a sequence. Use the blue box format
- For Related content provide 1-3 links. Include some context so the customer can determine why they would click the link. Add a context sentence for the following links.
-->
## Diagnose and Solve
If this article isn't resolving the issue you're facing with your cache node, you can use the **Diagnose and solve problems** functionality within your MCC resource to continue troubleshooting. **Diagnose and solve problems** contains solutions to most common problems that users might face as they onboard.
You can find **Diagnose and solve problems** on the left pane within your MCC resource.
Within **Diagnose and solve problems**, select **Troubleshoot** under the type of problem you're facing and follow the prompts that narrow down the solution to the issue.
## Filing a support request
TODO: Add steps for filling out a CSS ticket.

Some files were not shown because too many files have changed in this diff Show More