deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into nimishasatapathy-5556913-4171-4239-1023

Browse Source
This commit is contained in:
Thomas Raya 2022-01-18 11:32:31 -08:00 committed by GitHub
commit ef60b16724
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
110 changed files with 7877 additions and 1993 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.openpublishing.redirection.json
View File

@ -1,5 +1,20 @@
{ {
"redirections": [ "redirections": [
{
"source_path": "windows/client-management/mdm/browserfavorite-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-10-mobile-security-guide.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{ {
"source_path": "windows/client-management/mdm/windowssecurityauditing-ddf-file.md", "source_path": "windows/client-management/mdm/windowssecurityauditing-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
@ -5157,7 +5172,7 @@
}, },
{ {
"source_path": "windows/device-security/windows-10-mobile-security-guide.md", "source_path": "windows/device-security/windows-10-mobile-security-guide.md",
"redirect_url": "/windows/security/threat-protection/windows-10-mobile-security-guide", "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -5462,7 +5477,7 @@
}, },
{ {
"source_path": "windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md", "source_path": "windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md",
"redirect_url": "/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile", "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -12072,7 +12087,7 @@
}, },
{ {
"source_path": "windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md", "source_path": "windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md",
"redirect_url": "/windows/access-protection/installing-digital-certificates-on-windows-10-mobile", "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -13562,7 +13577,7 @@
}, },
{ {
"source_path": "windows/keep-secure/windows-10-mobile-security-guide.md", "source_path": "windows/keep-secure/windows-10-mobile-security-guide.md",
"redirect_url": "/windows/device-security/windows-10-mobile-security-guide", "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {

7
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -9,7 +9,7 @@ ms.pagetype: devices
author: dansimp author: dansimp
ms.localizationpriority: medium ms.localizationpriority: medium
ms.author: dansimp ms.author: dansimp
ms.date: 09/14/2021 ms.date: 01/18/2022
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.topic: article ms.topic: article
@ -55,8 +55,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
``` ```
where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
This command only works for AADJ device users already added to any of the local groups (administrators). In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example:
Otherwise this command throws the below error. For example:
- for cloud only user: "There is no such global user or group : *name*" - for cloud only user: "There is no such global user or group : *name*"
- for synced user: "There is no such global user or group : *name*" </br> - for synced user: "There is no such global user or group : *name*" </br>
@ -67,7 +66,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
- Adding users using policy - Adding users using policy
Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP] > [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.

34
windows/client-management/mdm/bitlocker-csp.md
View File

@ -142,7 +142,7 @@ Allows you to set the default encryption method for each of the different drive
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li> <li>GP Friendly name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
<li>GP name: <em>EncryptionMethodWithXts_Name</em></li> <li>GP name: <em>EncryptionMethodWithXts_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -216,7 +216,7 @@ Allows you to associate unique organizational identifiers to a new drive that is
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Provide the unique identifiers for your organization </em></li> <li>GP Friendly name: <em>Provide the unique identifiers for your organization </em></li>
<li>GP name: <em>IdentificationField_Name</em></li> <li>GP name: <em>IdentificationField_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -276,7 +276,7 @@ Allows users on devices that are compliant with InstantGo or the Microsoft Hardw
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN</em></li> <li>GP Friendly name: <em>Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN</em></li>
<li>GP name: <em>EnablePreBootPinExceptionOnDECapableDevice_Name</em></li> <li>GP name: <em>EnablePreBootPinExceptionOnDECapableDevice_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -318,7 +318,7 @@ Allows users to configure whether or not enhanced startup PINs are used with Bit
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Allow enhanced PINs for startup</em></li> <li>GP Friendly name: <em>Allow enhanced PINs for startup</em></li>
<li>GP name: <em>EnhancedPIN_Name</em></li> <li>GP name: <em>EnhancedPIN_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -363,7 +363,7 @@ Allows you to configure whether standard users are allowed to change BitLocker P
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Disallow standard users from changing the PIN or password</em></li> <li>GP Friendly name: <em>Disallow standard users from changing the PIN or password</em></li>
<li>GP name: <em>DisallowStandardUsersCanChangePIN_Name</em></li> <li>GP name: <em>DisallowStandardUsersCanChangePIN_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -408,7 +408,7 @@ Allows users to enable authentication options that require user input from the p
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Enable use of BitLocker authentication requiring preboot keyboard input on slates</em></li> <li>GP Friendly name: <em>Enable use of BitLocker authentication requiring preboot keyboard input on slates</em></li>
<li>GP name: <em>EnablePrebootInputProtectorsOnSlates_Name</em></li> <li>GP name: <em>EnablePrebootInputProtectorsOnSlates_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -459,7 +459,7 @@ Allows you to configure the encryption type that is used by BitLocker.
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Enforce drive encryption type on operating system drives</em></li> <li>GP Friendly name: <em>Enforce drive encryption type on operating system drives</em></li>
<li>GP name: <em>OSEncryptionType_Name</em></li> <li>GP name: <em>OSEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -507,7 +507,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Require additional authentication at startup</em></li> <li>GP Friendly name: <em>Require additional authentication at startup</em></li>
<li>GP name: <em>ConfigureAdvancedStartup_Name</em></li> <li>GP name: <em>ConfigureAdvancedStartup_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -604,7 +604,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure minimu
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name:<em>Configure minimum PIN length for startup</em></li> <li>GP Friendly name:<em>Configure minimum PIN length for startup</em></li>
<li>GP name: <em>MinimumPINLength_Name</em></li> <li>GP name: <em>MinimumPINLength_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -670,7 +670,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Configure pre-boot recovery message and URL</em></li> <li>GP Friendly name: <em>Configure pre-boot recovery message and URL</em></li>
<li>GP name: <em>PrebootRecoveryInfo_Name</em></li> <li>GP name: <em>PrebootRecoveryInfo_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -748,7 +748,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li> <li>GP Friendly name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
<li>GP name: <em>OSRecoveryUsage_Name</em></li> <li>GP name: <em>OSRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -834,7 +834,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li> <li>GP Friendly name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
<li>GP name: <em>FDVRecoveryUsage_Name</em></li> <li>GP name: <em>FDVRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -929,7 +929,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Deny write access to fixed drives not protected by BitLocker</em></li> <li>GP Friendly name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
<li>GP name: <em>FDVDenyWriteAccess_Name</em></li> <li>GP name: <em>FDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -987,7 +987,7 @@ Allows you to configure the encryption type on fixed data drives that is used by
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Enforce drive encryption type on fixed data drives</em></li> <li>GP Friendly name: <em>Enforce drive encryption type on fixed data drives</em></li>
<li>GP name: <em>FDVEncryptionType_Name</em></li> <li>GP name: <em>FDVEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Data Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -1037,7 +1037,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Deny write access to removable drives not protected by BitLocker</em></li> <li>GP Friendly name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
<li>GP name: <em>RDVDenyWriteAccess_Name</em></li> <li>GP name: <em>RDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removeable Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removeable Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -1106,7 +1106,7 @@ Allows you to configure the encryption type that is used by BitLocker.
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Enforce drive encryption type on removable data drives</em></li> <li>GP Friendly name: <em>Enforce drive encryption type on removable data drives</em></li>
<li>GP name: <em>RDVEncryptionType_Name</em></li> <li>GP name: <em>RDVEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -1150,7 +1150,7 @@ Allows you to control the use of BitLocker on removable data drives.
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
<ul> <ul>
<li>GP English name: <em>Control use of BitLocker on removable drives</em></li> <li>GP Friendly name: <em>Control use of BitLocker on removable drives</em></li>
<li>GP name: <em>RDVConfigureBDE_Name</em></li> <li>GP name: <em>RDVConfigureBDE_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li> <li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li> <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>

94
windows/client-management/mdm/browserfavorite-csp.md
View File

@ -1,94 +0,0 @@
---
title: BrowserFavorite CSP
description: Learn how the BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 10/25/2021
---
# BrowserFavorite CSP
The BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
> [!Note]
> BrowserFavorite CSP is only supported in Windows Phone 8.1.
The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder.
> [!Note]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application.
The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
```console
BrowserFavorite
favorite name
----URL
```
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
> [!Note]
> The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > |
Adding the same favorite twice adds only one occurrence to the Favorites list. If a favorite is added when another favorite with the same name but a different URL is already in the Favorites list, the existing favorite is replaced with the new favorite.
<a href="" id="url"></a>**URL**
Optional. Specifies the complete URL for the favorite.
## OMA client provisioning examples
Adding a new browser favorite.
```xml
<?xml version="1.0" encoding="UTF-8" ?>
<wap-provisioningdoc>
<characteristic type="BrowserFavorite">
<characteristic type="Help and how-to">
<parm name="URL" value="http://www.microsoft.com/windowsphone/en-US/howto/wp7/default.aspx"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
|Elements|Available|
|--- |--- |
|Parm-query|Yes|
|Noparm|Yes|
|Nocharacteristic|Yes|
|Characteristic-query|Yes<br> <br>Recursive query: Yes<br> <br>Top-level query: Yes|
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

12
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -227,11 +227,11 @@ Optional. Specifies where to keep the private key.
The data type is an integer corresponding to one of the following values: The data type is an integer corresponding to one of the following values:
| Value | Description | | Value | Description |
|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |---|---|
| 1 | Private key protected by TPM. | | 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. | | 2 | Private key protected by phone TPM if the device supports TPM. |
| 3 | (Default) Private key saved in software KSP. | | 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. | | 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -361,7 +361,7 @@ The date type format is Null, meaning this node doesnt contain a value.
The only supported operation is Execute. The only supported operation is Execute.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList** <a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. Optional. Specify the Azure AD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail.
Data type is string. Data type is string.

9
windows/client-management/mdm/clientcertificateinstall-ddf-file.md
View File

@ -556,21 +556,22 @@ Supported operations are Get, Add, Delete, Replace.</Description>
</AccessType> </AccessType>
<DefaultValue>3</DefaultValue> <DefaultValue>3</DefaultValue>
<Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. <Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
SCEP enrolled cert doesnt support TPM PIN protection.
Supported values: SCEP enrolled cert doesnt support TPM PIN protection. Supported values:
1 private key protected by TPM, 1 private key protected by TPM,
2 private key protected by phone TPM if the device supports TPM. 2 private key protected by phone TPM if the device supports TPM.
All Windows Phone 8.1 devices support TPM and will treat value 2 as 1
3 (default) private key saved in software KSP 3 (default) private key saved in software KSP
4 private key protected by NGC. If this option is specified, container name should be specifed, if not enrollment will fail 4 private key protected by NGC. If this option is specified, container name should be specified, if not enrollment will fail.
Format is int. Format is int.
Supported operations are Get, Add, Delete, Replace Supported operations are Get, Add, Delete, Replace
</Description> </Description>
<DFFormat> <DFFormat>
<int /> <int />

15
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -15,7 +15,7 @@ ms.collection: highpri
# Configuration service provider reference # Configuration service provider reference
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the device image as a `.provxml` file that is installed during boot.
For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download). For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download).
@ -150,18 +150,6 @@ Additional lists:
<!--EndSKU--> <!--EndSKU-->
<!--EndCSP--> <!--EndCSP-->
<!--StartCSP-->
[BrowserFavorite CSP](browserfavorite-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|No|No|No|No|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP--> <!--StartCSP-->
[CMPolicy CSP](cmpolicy-csp.md) [CMPolicy CSP](cmpolicy-csp.md)
@ -1147,6 +1135,7 @@ The following list shows the CSPs supported in HoloLens devices:
- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) - [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
- [Firewall-CSP](firewall-csp.md) - [Firewall-CSP](firewall-csp.md)
- [HealthAttestation CSP](healthattestation-csp.md) - [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkProxy CSP](networkproxy-csp.md)
- [NetworkQoSPolicy CSP](networkqospolicy-csp.md) - [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
- [NodeCache CSP](nodecache-csp.md) - [NodeCache CSP](nodecache-csp.md)
- [PassportForWork CSP](passportforwork-csp.md) - [PassportForWork CSP](passportforwork-csp.md)

34
windows/client-management/mdm/dmprocessconfigxmlfiltered.md
View File

@ -25,7 +25,7 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function # DMProcessConfigXMLFiltered function
> [!Important] > [!Important]
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses. > The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios. Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
@ -45,7 +45,7 @@ Microsoft recommends that this function isn't used to configure the following ty
- Email settings - Email settings
> [!Note] > [!Note]
> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10. > The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
@ -54,37 +54,29 @@ Microsoft recommends that this function isn't used to configure the following ty
```C++ ```C++
HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered( HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
LPCWSTR pszXmlIn, LPCWSTR pszXmlIn,
const WCHAR   **rgszAllowedCspNode, const WCHAR **rgszAllowedCspNode,
const DWORD   dwNumAllowedCspNodes, const DWORD dwNumAllowedCspNodes,
BSTR    *pbstrXmlOut BSTR *pbstrXmlOut
); );
``` ```
## Parameters ## Parameters
*pszXmlIn* *pszXmlIn*
<ul>
<li>[in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. <strong>DMProcessConfigXMLFiltered</strong> accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).</li> - [in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. **DMProcessConfigXMLFiltered** accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).
</ul>
<br>
*rgszAllowedCspNode* *rgszAllowedCspNode*
<ul>
<li>[in] Array of <strong>WCHAR\</strong>* that specify which configuration service provider nodes can be invoked.</li> - [in] Array of `WCHAR` that specify which configuration service provider nodes can be invoked.
</ul>
<br>
*dwNumAllowedCspNodes* *dwNumAllowedCspNodes*
<ul>
<li>[in] Number of elements passed in <em>rgszAllowedCspNode</em>.</li> - [in] Number of elements passed in <em>rgszAllowedCspNode</em>.
</ul>
<br>
*pbstrXmlOut* *pbstrXmlOut*
<ul>
<li>[out] The resulting nullterminated XML from configuration. The caller of <strong>DMProcessConfigXMLFiltered</strong> is responsible for cleanup of the output buffer that the <em>pbstrXmlOut</em> parameter references. Use <a href="/windows/win32/api/oleauto/nf-oleauto-sysfreestring" data-raw-source="[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring)"><strong>SysFreeString</strong></a> to free the memory.</li> - [out] The resulting nullterminated XML from configuration. The caller of **DMProcessConfigXMLFiltered** is responsible for cleanup of the output buffer that the <em>pbstrXmlOut</em> parameter references. Use <a href="/windows/win32/api/oleauto/nf-oleauto-sysfreestring" data-raw-source="[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring)">**SysFreeString**</a> to free the memory.
</ul>
<br>
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned. If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.

2
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
View File

@ -36,7 +36,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
> See [Understanding ADMX policies in Policy CSP](./understanding-admx-backed-policies.md). > See [Understanding ADMX policies in Policy CSP](./understanding-admx-backed-policies.md).
1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. 1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- GP English name - GP Friendly name
- GP name - GP name
- GP ADMX file name - GP ADMX file name
- GP path - GP path

34
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -16,9 +16,9 @@ ms.date: 07/28/2017
This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call. This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
The &lt;AuthenticationServiceURL&gt; element the discovery response message specifies web authentication broker page start URL. The `<AuthenticationServiceURL>` element the discovery response message specifies web authentication broker page start URL.
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## In this topic ## In this topic
@ -26,7 +26,7 @@ For details about the Microsoft mobile device enrollment protocol for Windows 1
[Enrollment policy web service](#enrollment-policy-web-service) [Enrollment policy web service](#enrollment-policy-web-service)
[Enrollment web service](#enrollment-web-service) [Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery service ## Discovery service
@ -35,7 +35,7 @@ The discovery web service provides the configuration information necessary for a
> [!NOTE] > [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. > The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
The first request is a standard HTTP GET request. The first request is a standard HTTP GET request.
@ -146,7 +146,7 @@ A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse
The following are the explicit requirements for the server. The following are the explicit requirements for the server.
- The &lt;DiscoveryResponse&gt;&lt;AuthenticationServiceUrl&gt; element must support HTTPS. - The `<DiscoveryResponse>``<AuthenticationServiceUrl>` element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. - The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesnt support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. - WP doesnt support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
@ -156,8 +156,8 @@ The enrollment client issues an HTTPS request as follows:
AuthenticationServiceUrl?appru=<appid>&amp;login_hint=<User Principal Name> AuthenticationServiceUrl?appru=<appid>&amp;login_hint=<User Principal Name>
``` ```
- &lt;appid&gt; is of the form ms-app://string - `<appid>` is of the form ms-app://string
- &lt;User Principal Name&gt; is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication. - `<User Principal Name>` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter. After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter.
@ -191,7 +191,7 @@ Content-Length: 556
</html> </html>
``` ```
The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary" contained in the &lt;wsse:BinarySecurityToken&gt; EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string. The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `<wsse:BinarySecurityToken>` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string.
The following example shows a response received from the discovery web service which requires authentication via WAB. The following example shows a response received from the discovery web service which requires authentication via WAB.
@ -235,18 +235,18 @@ Policy service is optional. By default, if no policies are specified, the minimu
This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message. This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
For Federated authentication policy, the security token credential is provided in a request message using the &lt;wsse:BinarySecurityToken&gt; element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows: For Federated authentication policy, the security token credential is provided in a request message using the `<wsse:BinarySecurityToken>` element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
- wsse:Security: The enrollment client implements the &lt;wsse:Security&gt; element defined in \[WSS\] section 5. The &lt;wsse:Security&gt; element must be a child of the &lt;s:Header&gt; element. - wsse:Security: The enrollment client implements the `<wsse:Security>` element defined in \[WSS\] section 5. The `<wsse:Security>` element must be a child of the `<s:Header>` element.
- wsse:BinarySecurityToken: The enrollment client implements the &lt;wsse:BinarySecurityToken&gt; element defined in \[WSS\] section 6.3. The &lt;wsse:BinarySecurityToken&gt; element must be included as a child of the &lt;wsse:Security&gt; element in the SOAP header. - wsse:BinarySecurityToken: The enrollment client implements the `<wsse:BinarySecurityToken>` element defined in \[WSS\] section 6.3. The `<wsse:BinarySecurityToken>` element must be included as a child of the `<wsse:Security>` element in the SOAP header.
As was described in the discovery response section, the inclusion of the &lt;wsse:BinarySecurityToken&gt; element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the &lt;AuthenticationServiceUrl&gt; element of &lt;DiscoveryResponse&gt; and the enterprise server. As was described in the discovery response section, the inclusion of the `<wsse:BinarySecurityToken>` element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `<AuthenticationServiceUrl>` element of `<DiscoveryResponse>` and the enterprise server.
The &lt;wsse:BinarySecurityToken&gt; element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the &lt;wsse:BinarySecurityToken&gt; element. The `<wsse:BinarySecurityToken>` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `<wsse:BinarySecurityToken>` element.
- wsse:BinarySecurityToken/attributes/ValueType: The `<wsse:BinarySecurityToken>` ValueType attribute must be "http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken". - wsse:BinarySecurityToken/attributes/ValueType: The `<wsse:BinarySecurityToken>` ValueType attribute must be `http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken`.
- wsse:BinarySecurityToken/attributes/EncodingType: The `<wsse:BinarySecurityToken>` EncodingType attribute must be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary". - wsse:BinarySecurityToken/attributes/EncodingType: The `<wsse:BinarySecurityToken>` EncodingType attribute must be `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary`.
The following is an enrollment policy request example with a received security token as client credential. The following is an enrollment policy request example with a received security token as client credential.
@ -478,7 +478,7 @@ After validating the request, the web service looks up the assigned certificate
> [!Note] > [!Note]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (http:<span></span>//schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc), because the token is more than an X.509 v3 certificate. Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate.
The provisioning XML contains: The provisioning XML contains:
@ -616,7 +616,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
> [!NOTE] > [!NOTE]
> >
> - &lt;Parm name&gt; and &lt;characteristic type=&gt; elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. > - `<Parm name>` and `<characteristic type=>` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
> >
> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. > - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
> >

4
windows/client-management/mdm/nodecache-ddf-file.md
View File

@ -57,7 +57,7 @@ The XML below is the current version for this CSP.
<Add /> <Add />
<Delete /> <Delete />
</AccessType> </AccessType>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.</Description> <Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.</Description>
<DFFormat> <DFFormat>
<node /> <node />
</DFFormat> </DFFormat>
@ -282,7 +282,7 @@ The XML below is the current version for this CSP.
<Add /> <Add />
<Delete /> <Delete />
</AccessType> </AccessType>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.</Description> <Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.</Description>
<DFFormat> <DFFormat>
<node /> <node />
</DFFormat> </DFFormat>

88
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -1131,8 +1131,96 @@ ms.date: 10/08/2020
- [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name) - [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name)
- [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state) - [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state)
- [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state) - [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state)
- [ADMX_TerminalServer/TS_AUTO_RECONNECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect)
- [ADMX_TerminalServer/TS_CAMERA_REDIRECTION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection)
- [ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2)
- [ADMX_TerminalServer/TS_CLIENT_AUDIO](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio)
- [ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture)
- [ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality)
- [ADMX_TerminalServer/TS_CLIENT_CLIPBOARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard)
- [ADMX_TerminalServer/TS_CLIENT_COM](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com)
- [ADMX_TerminalServer/TS_CLIENT_DEFAULT_M](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m)
- [ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode)
- [ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1)
- [ADMX_TerminalServer/TS_CLIENT_LPT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt)
- [ADMX_TerminalServer/TS_CLIENT_PNP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp)
- [ADMX_TerminalServer/TS_CLIENT_PRINTER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer)
- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1)
- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2)
- [ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp)
- [ADMX_TerminalServer/TS_COLORDEPTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth)
- [ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles)
- [ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper)
- [ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu)
- [ADMX_TerminalServer/TS_EASY_PRINT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print)
- [ADMX_TerminalServer/TS_EASY_PRINT_User](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user)
- [ADMX_TerminalServer/TS_EnableVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics)
- [ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype)
- [ADMX_TerminalServer/TS_FORCIBLE_LOGOFF](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable) - [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method) - [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server)
- [ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory)
- [ADMX_TerminalServer/TS_KEEP_ALIVE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive)
- [ADMX_TerminalServer/TS_LICENSE_SECGROUP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup)
- [ADMX_TerminalServer/TS_LICENSE_SERVERS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers)
- [ADMX_TerminalServer/TS_LICENSE_TOOLTIP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip)
- [ADMX_TerminalServer/TS_LICENSING_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode)
- [ADMX_TerminalServer/TS_MAX_CON_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy)
- [ADMX_TerminalServer/TS_MAXDISPLAYRES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres)
- [ADMX_TerminalServer/TS_MAXMONITOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor)
- [ADMX_TerminalServer/TS_NoDisconnectMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu)
- [ADMX_TerminalServer/TS_NoSecurityMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu)
- [ADMX_TerminalServer/TS_PreventLicenseUpgrade](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade)
- [ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp)
- [ADMX_TerminalServer/TS_RADC_DefaultConnection](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection)
- [ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration)
- [ADMX_TerminalServer/TS_RemoteControl_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1)
- [ADMX_TerminalServer/TS_RemoteControl_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2)
- [ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics)
- [ADMX_TerminalServer/TS_SD_ClustName](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname)
- [ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address)
- [ADMX_TerminalServer/TS_SD_Loc](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc)
- [ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy)
- [ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect)
- [ADMX_TerminalServer/TS_SELECT_TRANSPORT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport)
- [ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp)
- [ADMX_TerminalServer/TS_SERVER_AUTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth)
- [ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred)
- [ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred)
- [ADMX_TerminalServer/TS_SERVER_COMPRESSOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor)
- [ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality)
- [ADMX_TerminalServer/TS_SERVER_LEGACY_RFX](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx)
- [ADMX_TerminalServer/TS_SERVER_PROFILE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile)
- [ADMX_TerminalServer/TS_SERVER_VISEXP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp)
- [ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver)
- [ADMX_TerminalServer/TS_Session_End_On_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1)
- [ADMX_TerminalServer/TS_Session_End_On_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2)
- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1)
- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2)
- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1)
- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2)
- [ADMX_TerminalServer/TS_SESSIONS_Limits_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_1)
- [ADMX_TerminalServer/TS_SESSIONS_Limits_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_2)
- [ADMX_TerminalServer/TS_SINGLE_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session)
- [ADMX_TerminalServer/TS_SMART_CARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card)
- [ADMX_TerminalServer/TS_START_PROGRAM_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1)
- [ADMX_TerminalServer/TS_START_PROGRAM_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2)
- [ADMX_TerminalServer/TS_TEMP_DELETE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete)
- [ADMX_TerminalServer/TS_TEMP_PER_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session)
- [ADMX_TerminalServer/TS_TIME_ZONE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone)
- [ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy)
- [ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp)
- [ADMX_TerminalServer/TS_UIA](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia)
- [ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable)
- [ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy)
- [ADMX_TerminalServer/TS_USER_HOME](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home)
- [ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles)
- [ADMX_TerminalServer/TS_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles)
- [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) - [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails)
- [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) - [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders)
- [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) - [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders)

310
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -4068,12 +4068,269 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
### ADMX_TerminalServer policies ### ADMX_TerminalServer policies
<dl> <dl>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect" id="admx-terminalserver-ts_auto_reconnect">ADMX_TerminalServer/TS_AUTO_RECONNECT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection" id="admx-terminalserver-ts_camera_redirection">ADMX_TerminalServer/TS_CAMERA_REDIRECTION</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy" id="admx-terminalserver-ts_certificate_template_policy">ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1" id="admx-terminalserver-ts_client_allow_signed_files_1">ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2" id="admx-terminalserver-ts_client_allow_signed_files_2">ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1" id="admx-terminalserver-ts_client_allow_unsigned_files_1">ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2" id="admx-terminalserver-ts_client_allow_unsigned_files_2">ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio" id="admx-terminalserver-ts_client_audio">ADMX_TerminalServer/TS_CLIENT_AUDIO</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture" id="admx-terminalserver-ts_client_audio_capture">ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality" id="admx-terminalserver-ts_client_audio_quality">ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard" id="admx-terminalserver-ts_client_clipboard">ADMX_TerminalServer/TS_CLIENT_CLIPBOARD</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com" id="admx-terminalserver-ts_client_com">ADMX_TerminalServer/TS_CLIENT_COM</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m" id="admx-terminalserver-ts_client_default_m">ADMX_TerminalServer/TS_CLIENT_DEFAULT_M</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode" id="admx-terminalserver-ts_client_disable_hardware_mode">ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1" id="admx-terminalserver-ts_client_disable_password_saving_1">ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt" id="admx-terminalserver-ts_client_lpt">ADMX_TerminalServer/TS_CLIENT_LPT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp" id="admx-terminalserver-ts_client_pnp">ADMX_TerminalServer/TS_CLIENT_PNP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer" id="admx-terminalserver-ts_client_printer">ADMX_TerminalServer/TS_CLIENT_PRINTER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1" id="admx-terminalserver-ts_client_trusted_certificate_thumbprints_1">ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2" id="admx-terminalserver-ts_client_trusted_certificate_thumbprints_2">ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp" id="admx-terminalserver-ts_client_turn_off_udp">ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth" id="admx-terminalserver-ts_colordepth">ADMX_TerminalServer/TS_COLORDEPTH</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles" id="admx-terminalserver-ts_delete_roaming_user_profiles">ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper" id="admx-terminalserver-ts_disable_remote_desktop_wallpaper">ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu" id="admx-terminalserver-ts_dx_use_full_hwgpu">ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print" id="admx-terminalserver-ts_easy_print">ADMX_TerminalServer/TS_EASY_PRINT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user" id="admx-terminalserver-ts_easy_print_user">ADMX_TerminalServer/TS_EASY_PRINT_User</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics" id="admx-terminalserver-ts_enablevirtualgraphics">ADMX_TerminalServer/TS_EnableVirtualGraphics</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype" id="admx-terminalserver-ts_fallbackprintdrivertype">ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff" id="admx-terminalserver-ts_forcible_logoff">ADMX_TerminalServer/TS_FORCIBLE_LOGOFF</a>
</dd>
<dd> <dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable" id="admx-terminalserver-ts_gateway_policy_enable">ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE</a> <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable" id="admx-terminalserver-ts_gateway_policy_enable">ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE</a>
</dd> </dd>
<dd> <dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method" id="admx-terminalserver-ts_gateway_policy_auth_method">ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD</a> <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method" id="admx-terminalserver-ts_gateway_policy_auth_method">ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server" id="admx-terminalserver-ts_gateway_policy_server">ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER</a>
</dd> </dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory" id="admx-terminalserver-ts_join_session_directory">ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive" id="admx-terminalserver-ts_keep_alive">ADMX_TerminalServer/TS_KEEP_ALIVE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup" id="admx-terminalserver-ts_license_secgroup">ADMX_TerminalServer/TS_LICENSE_SECGROUP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers" id="admx-terminalserver-ts_license_servers">ADMX_TerminalServer/TS_LICENSE_SERVERS</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip" id="admx-terminalserver-ts_license_tooltip">ADMX_TerminalServer/TS_LICENSE_TOOLTIP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode" id="admx-terminalserver-ts_licensing_mode">ADMX_TerminalServer/TS_LICENSING_MODE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy" id="admx-terminalserver-ts_max_con_policy">ADMX_TerminalServer/TS_MAX_CON_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres" id="admx-terminalserver-ts_maxdisplayres">ADMX_TerminalServer/TS_MAXDISPLAYRES</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor" id="admx-terminalserver-ts_maxmonitor">ADMX_TerminalServer/TS_MAXMONITOR</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu" id="admx-terminalserver-ts_nodisconnectmenu">ADMX_TerminalServer/TS_NoDisconnectMenu</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu" id="admx-terminalserver-ts_nosecuritymenu">ADMX_TerminalServer/TS_NoSecurityMenu</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade" id="admx-terminalserver-ts_preventlicenseupgrade">ADMX_TerminalServer/TS_PreventLicenseUpgrade</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp" id="admx-terminalserver-ts_promt_creds_client_comp">ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection" id="admx-terminalserver-ts_radc_defaultconnection">ADMX_TerminalServer/TS_RADC_DefaultConnection</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration" id="admx-terminalserver-ts_rdsappx_waitforregistration">ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1" id="admx-terminalserver-ts_remotecontrol_1">ADMX_TerminalServer/TS_RemoteControl_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2" id="admx-terminalserver-ts_remotecontrol_2">ADMX_TerminalServer/TS_RemoteControl_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics" id="admx-terminalserver-ts_remotedesktopvirtualgraphics">ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname" id="admx-terminalserver-ts_sd_clustname">ADMX_TerminalServer/TS_SD_ClustName</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address" id="admx-terminalserver-ts_sd_expose_address">ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc" id="admx-terminalserver-ts_sd_loc">ADMX_TerminalServer/TS_SD_Loc</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy" id="admx-terminalserver-ts_security_layer_policy">ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect" id="admx-terminalserver-ts_select_network_detect">ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport" id="admx-terminalserver-ts_select_transport">ADMX_TerminalServer/TS_SELECT_TRANSPORT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp" id="admx-terminalserver-ts_server_advanced_remotefx_remoteapp">ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth" id="admx-terminalserver-ts_server_auth">ADMX_TerminalServer/TS_SERVER_AUTH</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred" id="admx-terminalserver-ts_server_avc_hw_encode_preferred">ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred" id="admx-terminalserver-ts_server_avc444_mode_preferred">ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor" id="admx-terminalserver-ts_server_compressor">ADMX_TerminalServer/TS_SERVER_COMPRESSOR</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality" id="admx-terminalserver-ts_server_image_quality">ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx" id="admx-terminalserver-ts_server_legacy_rfx">ADMX_TerminalServer/TS_SERVER_LEGACY_RFX</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile" id="admx-terminalserver-ts_server_profile">ADMX_TerminalServer/TS_SERVER_PROFILE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp" id="admx-terminalserver-ts_server_visexp">ADMX_TerminalServer/TS_SERVER_VISEXP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver" id="admx-terminalserver-ts_server_wddm_graphics_driver">ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1" id="admx-terminalserver-ts_session_end_on_limit_1">ADMX_TerminalServer/TS_Session_End_On_Limit_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2" id="admx-terminalserver-ts_session_end_on_limit_2">ADMX_TerminalServer/TS_Session_End_On_Limit_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1" id="admx-terminalserver-ts_sessions_disconnected_timeout_1">ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2" id="admx-terminalserver-ts_sessions_disconnected_timeout_2">ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2</a>
</dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1" id="admx-terminalserver-ts_sessions_idle_limit_1">ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2" id="admx-terminalserver-ts_sessions_idle_limit_2">ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session" id="admx-terminalserver-ts_single_session">ADMX_TerminalServer/TS_SINGLE_SESSION</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card" id="admx-terminalserver-ts_smart_card">ADMX_TerminalServer/TS_SMART_CARD</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1" id="admx-terminalserver-ts_start_program_1">ADMX_TerminalServer/TS_START_PROGRAM_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2" id="admx-terminalserver-ts_start_program_2">ADMX_TerminalServer/TS_START_PROGRAM_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete" id="admx-terminalserver-ts_temp_delete">ADMX_TerminalServer/TS_TEMP_DELETE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session" id="admx-terminalserver-ts_temp_per_session">ADMX_TerminalServer/TS_TEMP_PER_SESSION</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone" id="admx-terminalserver-ts_time_zone">ADMX_TerminalServer/TS_TIME_ZONE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy" id="admx-terminalserver-ts_tscc_permissions_policy">ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp" id="admx-terminalserver-ts_turnoff_singleapp">ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia" id="admx-terminalserver-ts_uia">ADMX_TerminalServer/TS_UIA</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable" id="admx-terminalserver-ts_usb_redirection_disable">ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy" id="admx-terminalserver-ts_user_authentication_policy">ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home" id="admx-terminalserver-ts_user_home">ADMX_TerminalServer/TS_USER_HOME</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles" id="admx-terminalserver-ts_user_mandatory_profiles">ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles" id="admx-terminalserver-ts_user_profiles">ADMX_TerminalServer/TS_USER_PROFILES</a>
</dd>
<dl> <dl>
### ADMX_Thumbnails policies ### ADMX_Thumbnails policies
@ -6181,6 +6438,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd> </dd>
</dl> </dl>
### EAP policies
<dl>
<dd>
<a href="./policy-csp-eap.md#eap-allowtls1_3" id="eap-allowtls1_3">EAP/AllowTLS1_3</a>
</dd>
</dl>
### Education policies ### Education policies
<dl> <dl>
@ -6371,6 +6636,20 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd> </dd>
</dl> </dl>
### HumanPresence policies
<dl>
<dd>
<a href="./policy-csp-humanpresence.md#humanpresence-forceinstantlock" id="humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
</dd>
<dd>
<a href="./policy-csp-humanpresence.md#humanpresence-forceinstantwake" id="humanpresence-forceinstantwake">HumanPresence/ForceInstantWake</a>
</dd>
<dd>
<a href="./policy-csp-humanpresence.md#humanpresence-forcelocktimeout" id="humanpresence-forcelocktimeout">HumanPresence/ForceLockTimeout</a>
</dd>
</dl>
### InternetExplorer policies ### InternetExplorer policies
<dl> <dl>
@ -7497,6 +7776,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd> <dd>
</dl> </dl>
### NewsAndInterests policies
<dl>
<dd>
<a href="./policy-csp-newsandinterests.md#newsandinterests-allownewsandinterests" id="newsandinterests-allownewsandinterests">NewsAndInterests/AllowNewsAndInterests</a>
</dd>
</dl>
### Notifications policies ### Notifications policies
<dl> <dl>
@ -7900,6 +8187,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd> </dd>
</dl> </dl>
### RemoteDesktop policies
<dl>
<dd>
<a href="./policy-csp-remotedesktop.md#remotedesktop-autosubscription" id="remotedesktop-autosubscription">RemoteDesktop/AutoSubscription</a>
</dd>
<dd>
<a href="./policy-csp-remotedesktop.md#remotedesktop-loadaadcredkeyfromprofile" id="remotedesktop-loadaadcredkeyfromprofile">RemoteDesktop/LoadAadCredKeyFromProfile</a>
</dd>
</dl>
### RemoteDesktopServices policies ### RemoteDesktopServices policies
<dl> <dl>
@ -8294,6 +8592,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd> <dd>
<a href="./policy-csp-storage.md#storage-removablediskdenywriteaccess" id="storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a> <a href="./policy-csp-storage.md#storage-removablediskdenywriteaccess" id="storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a>
</dd> </dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenyreadaccessperdevice" id="storage-wpddevicesdenyreadaccessperdevice">Storage/WPDDevicesDenyReadAccessPerDevice</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenyreadaccessperuser" id="storage-wpddevicesdenyreadaccessperuser">Storage/WPDDevicesDenyReadAccessPerUser</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenywriteaccessperdevice" id="storage-wpddevicesdenywriteaccessperdevice">Storage/WPDDevicesDenyWriteAccessPerDevice</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenywriteaccessperuser" id="storage-wpddevicesdenywriteaccessperuser">Storage/WPDDevicesDenyWriteAccessPerUser</a>
</dd>
</dl> </dl>
### System policies ### System policies

52
windows/client-management/mdm/policy-csp-admx-icm.md
View File

@ -148,7 +148,7 @@ If you do not configure this policy setting, the administrator can use the Probl
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Windows Customer Experience Improvement Program* - GP Friendly name: *Turn off Windows Customer Experience Improvement Program*
- GP name: *CEIPEnable* - GP name: *CEIPEnable*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -196,7 +196,7 @@ If you disable or do not configure this policy setting, your computer will conta
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Automatic Root Certificates Update* - GP Friendly name: *Turn off Automatic Root Certificates Update*
- GP name: *CertMgr_DisableAutoRootUpdates* - GP name: *CertMgr_DisableAutoRootUpdates*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -247,7 +247,7 @@ If you disable or do not configure this policy setting, users can choose to prin
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off printing over HTTP* - GP Friendly name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_1* - GP name: *DisableHTTPPrinting_1*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -300,7 +300,7 @@ If you disable or do not configure this policy setting, users can download print
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off downloading of print drivers over HTTP* - GP Friendly name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_1* - GP name: *DisableWebPnPDownload_1*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -353,7 +353,7 @@ Also see "Turn off Windows Update device driver search prompt" in "Administrativ
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Windows Update device driver searching* - GP Friendly name: *Turn off Windows Update device driver searching*
- GP name: *DriverSearchPlaces_DontSearchWindowsUpdate* - GP name: *DriverSearchPlaces_DontSearchWindowsUpdate*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -403,7 +403,7 @@ Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Comman
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Event Viewer "Events.asp" links* - GP Friendly name: *Turn off Event Viewer "Events.asp" links*
- GP name: *EventViewer_DisableLinks* - GP name: *EventViewer_DisableLinks*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -453,7 +453,7 @@ You might want to enable this policy setting for users who do not have Internet
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Help and Support Center "Did you know?" content* - GP Friendly name: *Turn off Help and Support Center "Did you know?" content*
- GP name: *HSS_HeadlinesPolicy* - GP name: *HSS_HeadlinesPolicy*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -501,7 +501,7 @@ If you disable or do not configure this policy setting, the Knowledge Base is se
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Help and Support Center Microsoft Knowledge Base search* - GP Friendly name: *Turn off Help and Support Center Microsoft Knowledge Base search*
- GP name: *HSS_KBSearchPolicy* - GP name: *HSS_KBSearchPolicy*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -549,7 +549,7 @@ If you do not configure this policy setting, all of the the policy settings in t
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Restrict Internet communication* - GP Friendly name: *Restrict Internet communication*
- GP name: *InternetManagement_RestrictCommunication_1* - GP name: *InternetManagement_RestrictCommunication_1*
- GP path: *System\Internet Communication Management* - GP path: *System\Internet Communication Management*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -596,7 +596,7 @@ If you do not configure this policy setting, all of the the policy settings in t
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Restrict Internet communication* - GP Friendly name: *Restrict Internet communication*
- GP name: *InternetManagement_RestrictCommunication_2* - GP name: *InternetManagement_RestrictCommunication_2*
- GP path: *System\Internet Communication Management* - GP path: *System\Internet Communication Management*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -642,7 +642,7 @@ If you disable or do not configure this policy setting, users can connect to Mic
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com* - GP Friendly name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com*
- GP name: *NC_ExitOnISP* - GP name: *NC_ExitOnISP*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -690,7 +690,7 @@ Note that registration is optional and involves submitting some personal informa
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Registration if URL connection is referring to Microsoft.com* - GP Friendly name: *Turn off Registration if URL connection is referring to Microsoft.com*
- GP name: *NC_NoRegistration* - GP name: *NC_NoRegistration*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -742,7 +742,7 @@ Also see the "Configure Error Reporting", "Display Error Notification" and "Disa
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Windows Error Reporting* - GP Friendly name: *Turn off Windows Error Reporting*
- GP name: *PCH_DoNotReport* - GP name: *PCH_DoNotReport*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -791,7 +791,7 @@ If you disable or do not configure this policy setting, users can access the Win
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off access to all Windows Update features* - GP Friendly name: *Turn off access to all Windows Update features*
- GP name: *RemoveWindowsUpdate_ICM* - GP name: *RemoveWindowsUpdate_ICM*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -842,7 +842,7 @@ If you disable or do not configure this policy setting, Search Companion downloa
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Search Companion content file updates* - GP Friendly name: *Turn off Search Companion content file updates*
- GP name: *SearchCompanion_DisableFileUpdates* - GP name: *SearchCompanion_DisableFileUpdates*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -890,7 +890,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Internet File Association service* - GP Friendly name: *Turn off Internet File Association service*
- GP name: *ShellNoUseInternetOpenWith_1* - GP name: *ShellNoUseInternetOpenWith_1*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -938,7 +938,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Internet File Association service* - GP Friendly name: *Turn off Internet File Association service*
- GP name: *ShellNoUseInternetOpenWith_2* - GP name: *ShellNoUseInternetOpenWith_2*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -986,7 +986,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off access to the Store* - GP Friendly name: *Turn off access to the Store*
- GP name: *ShellNoUseStoreOpenWith_1* - GP name: *ShellNoUseStoreOpenWith_1*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -1034,7 +1034,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off access to the Store* - GP Friendly name: *Turn off access to the Store*
- GP name: *ShellNoUseStoreOpenWith_2* - GP name: *ShellNoUseStoreOpenWith_2*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -1082,7 +1082,7 @@ See the documentation for the web publishing and online ordering wizards for mor
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Internet download for Web publishing and online ordering wizards* - GP Friendly name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_1* - GP name: *ShellPreventWPWDownload_1*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -1128,7 +1128,7 @@ If you disable or do not configure this policy setting, the task is displayed.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off the "Order Prints" picture task* - GP Friendly name: *Turn off the "Order Prints" picture task*
- GP name: *ShellRemoveOrderPrints_1* - GP name: *ShellRemoveOrderPrints_1*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -1176,7 +1176,7 @@ If you disable or do not configure this policy setting, the task is displayed.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off the "Order Prints" picture task* - GP Friendly name: *Turn off the "Order Prints" picture task*
- GP name: *ShellRemoveOrderPrints_2* - GP name: *ShellRemoveOrderPrints_2*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -1222,7 +1222,7 @@ If you enable this policy setting, these tasks are removed from the File and Fol
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off the "Publish to Web" task for files and folders* - GP Friendly name: *Turn off the "Publish to Web" task for files and folders*
- GP name: *ShellRemovePublishToWeb_1* - GP name: *ShellRemovePublishToWeb_1*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -1270,7 +1270,7 @@ If you disable or do not configure this policy setting, the tasks are shown.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off the "Publish to Web" task for files and folders* - GP Friendly name: *Turn off the "Publish to Web" task for files and folders*
- GP name: *ShellRemovePublishToWeb_2* - GP name: *ShellRemovePublishToWeb_2*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -1320,7 +1320,7 @@ If you disable this policy setting, Windows Messenger collects anonymous usage i
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program* - GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP name: *WinMSG_NoInstrumentation_1* - GP name: *WinMSG_NoInstrumentation_1*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*
@ -1372,7 +1372,7 @@ If you do not configure this policy setting, users have the choice to opt in and
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program* - GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP name: *WinMSG_NoInstrumentation_2* - GP name: *WinMSG_NoInstrumentation_2*
- GP path: *System\Internet Communication Management\Internet Communication settings* - GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx* - GP ADMX file name: *ICM.admx*

6
windows/client-management/mdm/policy-csp-admx-iscsi.md
View File

@ -76,7 +76,7 @@ If disabled then new iSNS servers may be added and thus new targets discovered v
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not allow manual configuration of iSNS servers* - GP Friendly name: *Do not allow manual configuration of iSNS servers*
- GP name: *iSCSIGeneral_RestrictAdditionalLogins* - GP name: *iSCSIGeneral_RestrictAdditionalLogins*
- GP path: *System\iSCSI\iSCSI Target Discovery* - GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx* - GP ADMX file name: *iSCSI.admx*
@ -119,7 +119,7 @@ If disabled then new target portals may be added and thus new targets discovered
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not allow manual configuration of target portals* - GP Friendly name: *Do not allow manual configuration of target portals*
- GP name: *iSCSIGeneral_ChangeIQNName* - GP name: *iSCSIGeneral_ChangeIQNName*
- GP path: *System\iSCSI\iSCSI Target Discovery* - GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx* - GP ADMX file name: *iSCSI.admx*
@ -163,7 +163,7 @@ If disabled then the initiator CHAP secret may be changed.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not allow changes to initiator CHAP secret* - GP Friendly name: *Do not allow changes to initiator CHAP secret*
- GP name: *iSCSISecurity_ChangeCHAPSecret* - GP name: *iSCSISecurity_ChangeCHAPSecret*
- GP path: *System\iSCSI\iSCSI Security* - GP path: *System\iSCSI\iSCSI Security*
- GP ADMX file name: *iSCSI.admx* - GP ADMX file name: *iSCSI.admx*

12
windows/client-management/mdm/policy-csp-admx-kdc.md
View File

@ -113,7 +113,7 @@ Impact on domain controller performance when this policy setting is enabled:
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *KDC support for claims, compound authentication and Kerberos armoring* - GP Friendly name: *KDC support for claims, compound authentication and Kerberos armoring*
- GP name: *CbacAndArmor* - GP name: *CbacAndArmor*
- GP path: *System/KDC* - GP path: *System/KDC*
- GP ADMX file name: *kdc.admx* - GP ADMX file name: *kdc.admx*
@ -161,7 +161,7 @@ To ensure consistent behavior, this policy setting must be supported and set ide
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Use forest search order* - GP Friendly name: *Use forest search order*
- GP name: *ForestSearch* - GP name: *ForestSearch*
- GP path: *System/KDC* - GP path: *System/KDC*
- GP ADMX file name: *kdc.admx* - GP ADMX file name: *kdc.admx*
@ -213,7 +213,7 @@ If you disable or not configure this policy setting, then the DC will never offe
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *KDC support for PKInit Freshness Extension* - GP Friendly name: *KDC support for PKInit Freshness Extension*
- GP name: *PKINITFreshness* - GP name: *PKINITFreshness*
- GP path: *System/KDC* - GP path: *System/KDC*
- GP ADMX file name: *kdc.admx* - GP ADMX file name: *kdc.admx*
@ -262,7 +262,7 @@ If you disable or do not configure this policy setting, domain controllers will
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Request compound authentication* - GP Friendly name: *Request compound authentication*
- GP name: *RequestCompoundId* - GP name: *RequestCompoundId*
- GP path: *System/KDC* - GP path: *System/KDC*
- GP ADMX file name: *kdc.admx* - GP ADMX file name: *kdc.admx*
@ -308,7 +308,7 @@ If you disable or do not configure this policy setting, the threshold value defa
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Warning for large Kerberos tickets* - GP Friendly name: *Warning for large Kerberos tickets*
- GP name: *TicketSizeThreshold* - GP name: *TicketSizeThreshold*
- GP path: *System/KDC* - GP path: *System/KDC*
- GP ADMX file name: *kdc.admx* - GP ADMX file name: *kdc.admx*
@ -359,7 +359,7 @@ If you disable or do not configure this policy setting, the domain controller do
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Provide information about previous logons to client computers* - GP Friendly name: *Provide information about previous logons to client computers*
- GP name: *emitlili* - GP name: *emitlili*
- GP path: *System/KDC* - GP path: *System/KDC*
- GP ADMX file name: *kdc.admx* - GP ADMX file name: *kdc.admx*

16
windows/client-management/mdm/policy-csp-admx-kerberos.md
View File

@ -95,7 +95,7 @@ If you disable or do not configure this policy setting and the resource domain r
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Always send compound authentication first* - GP Friendly name: *Always send compound authentication first*
- GP name: *AlwaysSendCompoundId* - GP name: *AlwaysSendCompoundId*
- GP path: *System\Kerberos* - GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx* - GP ADMX file name: *Kerberos.admx*
@ -148,7 +148,7 @@ If you do not configure this policy setting, Automatic will be used.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Support device authentication using certificate* - GP Friendly name: *Support device authentication using certificate*
- GP name: *DevicePKInitEnabled* - GP name: *DevicePKInitEnabled*
- GP path: *System\Kerberos* - GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx* - GP ADMX file name: *Kerberos.admx*
@ -196,7 +196,7 @@ If you do not configure this policy setting, the system uses the host name-to-Ke
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define host name-to-Kerberos realm mappings* - GP Friendly name: *Define host name-to-Kerberos realm mappings*
- GP name: *HostToRealm* - GP name: *HostToRealm*
- GP path: *System\Kerberos* - GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx* - GP ADMX file name: *Kerberos.admx*
@ -243,7 +243,7 @@ If you disable or do not configure this policy setting, the Kerberos client enfo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Disable revocation checking for the SSL certificate of KDC proxy servers* - GP Friendly name: *Disable revocation checking for the SSL certificate of KDC proxy servers*
- GP name: *KdcProxyDisableServerRevocationCheck* - GP name: *KdcProxyDisableServerRevocationCheck*
- GP path: *System\Kerberos* - GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx* - GP ADMX file name: *Kerberos.admx*
@ -289,7 +289,7 @@ If you disable or do not configure this policy setting, the Kerberos client does
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify KDC proxy servers for Kerberos clients* - GP Friendly name: *Specify KDC proxy servers for Kerberos clients*
- GP name: *KdcProxyServer* - GP name: *KdcProxyServer*
- GP path: *System\Kerberos* - GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx* - GP ADMX file name: *Kerberos.admx*
@ -337,7 +337,7 @@ If you do not configure this policy setting, the system uses the interoperable K
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define interoperable Kerberos V5 realm settings* - GP Friendly name: *Define interoperable Kerberos V5 realm settings*
- GP name: *MitRealms* - GP name: *MitRealms*
- GP path: *System\Kerberos* - GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx* - GP ADMX file name: *Kerberos.admx*
@ -391,7 +391,7 @@ If you do not configure this policy setting, Automatic will be used.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Support compound authentication* - GP Friendly name: *Support compound authentication*
- GP name: *ServerAcceptsCompound* - GP name: *ServerAcceptsCompound*
- GP path: *System\Kerberos* - GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx* - GP ADMX file name: *Kerberos.admx*
@ -437,7 +437,7 @@ If you disable or do not configure this policy setting, any service is allowed t
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Require strict target SPN match on remote procedure calls* - GP Friendly name: *Require strict target SPN match on remote procedure calls*
- GP name: *StrictTarget* - GP name: *StrictTarget*
- GP path: *System\Kerberos* - GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx* - GP ADMX file name: *Kerberos.admx*

8
windows/client-management/mdm/policy-csp-admx-lanmanserver.md
View File

@ -96,7 +96,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Cipher suite order* - GP Friendly name: *Cipher suite order*
- GP name: *Pol_CipherSuiteOrder* - GP name: *Pol_CipherSuiteOrder*
- GP path: *Network/Lanman Server* - GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx* - GP ADMX file name: *LanmanServer.admx*
@ -156,7 +156,7 @@ In circumstances where this policy setting is enabled, you can also select the f
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Hash Publication for BranchCache* - GP Friendly name: *Hash Publication for BranchCache*
- GP name: *Pol_HashPublication* - GP name: *Pol_HashPublication*
- GP path: *Network/Lanman Server* - GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx* - GP ADMX file name: *LanmanServer.admx*
@ -220,7 +220,7 @@ Hash version supported:
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Hash Version support for BranchCache* - GP Friendly name: *Hash Version support for BranchCache*
- GP name: *Pol_HashSupportVersion* - GP name: *Pol_HashSupportVersion*
- GP path: *Network/Lanman Server* - GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx* - GP ADMX file name: *LanmanServer.admx*
@ -269,7 +269,7 @@ If you disable or do not configure this policy setting, the SMB server will sele
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Honor cipher suite order* - GP Friendly name: *Honor cipher suite order*
- GP name: *Pol_HonorCipherSuiteOrder* - GP name: *Pol_HonorCipherSuiteOrder*
- GP path: *Network/Lanman Server* - GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx* - GP ADMX file name: *LanmanServer.admx*

6
windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
View File

@ -98,7 +98,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Cipher suite order* - GP Friendly name: *Cipher suite order*
- GP name: *Pol_CipherSuiteOrder* - GP name: *Pol_CipherSuiteOrder*
- GP path: *Network\Lanman Workstation* - GP path: *Network\Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx* - GP ADMX file name: *LanmanWorkstation.admx*
@ -147,7 +147,7 @@ If you disable or do not configure this policy setting, Windows will prevent use
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Handle Caching on Continuous Availability Shares* - GP Friendly name: *Handle Caching on Continuous Availability Shares*
- GP name: *Pol_EnableHandleCachingForCAFiles* - GP name: *Pol_EnableHandleCachingForCAFiles*
- GP path: *Network\Lanman Workstation* - GP path: *Network\Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx* - GP ADMX file name: *LanmanWorkstation.admx*
@ -196,7 +196,7 @@ If you disable or do not configure this policy setting, Windows will prevent use
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Offline Files Availability on Continuous Availability Shares* - GP Friendly name: *Offline Files Availability on Continuous Availability Shares*
- GP name: *Pol_EnableOfflineFilesforCAShares* - GP name: *Pol_EnableOfflineFilesforCAShares*
- GP path: *Network\Lanman Workstation* - GP path: *Network\Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx* - GP ADMX file name: *LanmanWorkstation.admx*

2
windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
View File

@ -80,7 +80,7 @@ The DPS can be configured with the Services snap-in to the Microsoft Management
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure custom alert text* - GP Friendly name: *Configure custom alert text*
- GP name: *WdiScenarioExecutionPolicy* - GP name: *WdiScenarioExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* - GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
- GP ADMX file name: *LeakDiagnostic.admx* - GP ADMX file name: *LeakDiagnostic.admx*

4
windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
View File

@ -76,7 +76,7 @@ If you disable or do not configure this policy setting, the default behavior of
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on Mapper I/O (LLTDIO) driver* - GP Friendly name: *Turn on Mapper I/O (LLTDIO) driver*
- GP name: *LLTD_EnableLLTDIO* - GP name: *LLTD_EnableLLTDIO*
- GP path: *Network/Link-Layer Topology Discovery* - GP path: *Network/Link-Layer Topology Discovery*
- GP ADMX file name: *LinkLayerTopologyDiscovery.admx* - GP ADMX file name: *LinkLayerTopologyDiscovery.admx*
@ -124,7 +124,7 @@ If you disable or do not configure this policy setting, the default behavior for
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on Responder (RSPNDR) driver* - GP Friendly name: *Turn on Responder (RSPNDR) driver*
- GP name: *LLTD_EnableRspndr* - GP name: *LLTD_EnableRspndr*
- GP path: *Network/Link-Layer Topology Discovery* - GP path: *Network/Link-Layer Topology Discovery*
- GP ADMX file name: *LinkLayerTopologyDiscovery.admx* - GP ADMX file name: *LinkLayerTopologyDiscovery.admx*

30
windows/client-management/mdm/policy-csp-admx-logon.md
View File

@ -113,7 +113,7 @@ If you disable or do not configure this policy setting, the user may choose to s
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Block user from showing account details on sign-in* - GP Friendly name: *Block user from showing account details on sign-in*
- GP name: *BlockUserFromShowingAccountDetailsOnSignin* - GP name: *BlockUserFromShowingAccountDetailsOnSignin*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -159,7 +159,7 @@ If you disable or do not configure this policy, the logon background image adopt
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Show clear logon background* - GP Friendly name: *Show clear logon background*
- GP name: *DisableAcrylicBackgroundOnLogon* - GP name: *DisableAcrylicBackgroundOnLogon*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -208,7 +208,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not process the legacy run list* - GP Friendly name: *Do not process the legacy run list*
- GP name: *DisableExplorerRunLegacy_1* - GP name: *DisableExplorerRunLegacy_1*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -257,7 +257,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not process the legacy run list* - GP Friendly name: *Do not process the legacy run list*
- GP name: *DisableExplorerRunLegacy_2* - GP name: *DisableExplorerRunLegacy_2*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -310,7 +310,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not process the run once list* - GP Friendly name: *Do not process the run once list*
- GP name: *DisableExplorerRunOnceLegacy_1* - GP name: *DisableExplorerRunOnceLegacy_1*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -363,7 +363,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not process the run once list* - GP Friendly name: *Do not process the run once list*
- GP name: *DisableExplorerRunOnceLegacy_2* - GP name: *DisableExplorerRunOnceLegacy_2*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -409,7 +409,7 @@ If you disable or do not configure this policy setting, the system displays the
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Remove Boot / Shutdown / Logon / Logoff status messages* - GP Friendly name: *Remove Boot / Shutdown / Logon / Logoff status messages*
- GP name: *DisableStatusMessages* - GP name: *DisableStatusMessages*
- GP path: *System* - GP path: *System*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -455,7 +455,7 @@ If you disable or do not configure this policy setting, connected users will be
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not enumerate connected users on domain-joined computers* - GP Friendly name: *Do not enumerate connected users on domain-joined computers*
- GP name: *DontEnumerateConnectedUsers* - GP name: *DontEnumerateConnectedUsers*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -511,7 +511,7 @@ This setting applies only to Windows. It does not affect the "Configure Your Ser
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not display the Getting Started welcome screen at logon* - GP Friendly name: *Do not display the Getting Started welcome screen at logon*
- GP name: *NoWelcomeTips_1* - GP name: *NoWelcomeTips_1*
- GP path: *System* - GP path: *System*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -566,7 +566,7 @@ If you disable or do not configure this policy, the welcome screen is displayed
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not display the Getting Started welcome screen at logon* - GP Friendly name: *Do not display the Getting Started welcome screen at logon*
- GP name: *NoWelcomeTips_2* - GP name: *NoWelcomeTips_2*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -619,7 +619,7 @@ Also, see the "Do not process the legacy run list" and the "Do not process the r
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Run these programs at user logon* - GP Friendly name: *Run these programs at user logon*
- GP name: *Run_1* - GP name: *Run_1*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -673,7 +673,7 @@ Also, see the "Do not process the legacy run list" and the "Do not process the r
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Run these programs at user logon* - GP Friendly name: *Run these programs at user logon*
- GP name: *Run_2* - GP name: *Run_2*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -737,7 +737,7 @@ If you disable or do not configure this policy setting and users log on to a cli
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Always wait for the network at computer startup and logon* - GP Friendly name: *Always wait for the network at computer startup and logon*
- GP name: *SyncForegroundPolicy* - GP name: *SyncForegroundPolicy*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -783,7 +783,7 @@ If you disable or do not configure this policy setting, Windows uses the default
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Always use custom logon background* - GP Friendly name: *Always use custom logon background*
- GP name: *UseOEMBackground* - GP name: *UseOEMBackground*
- GP path: *System\Logon* - GP path: *System\Logon*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*
@ -834,7 +834,7 @@ If you disable or do not configure this policy setting, only the default status
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Display highly detailed status messages* - GP Friendly name: *Display highly detailed status messages*
- GP name: *VerboseStatus* - GP name: *VerboseStatus*
- GP path: *System* - GP path: *System*
- GP ADMX file name: *Logon.admx* - GP ADMX file name: *Logon.admx*

186
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -347,7 +347,7 @@ If you disable this setting, the antimalware service will load as a low priority
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow antimalware service to startup with normal priority* - GP Friendly name: *Allow antimalware service to startup with normal priority*
- GP name: *AllowFastServiceStartup* - GP name: *AllowFastServiceStartup*
- GP path: *Windows Components\Microsoft Defender Antivirus* - GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -397,7 +397,7 @@ Enabling or disabling this policy may lead to unexpected or unsupported behavior
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Microsoft Defender Antivirus* - GP Friendly name: *Turn off Microsoft Defender Antivirus*
- GP name: *DisableAntiSpywareDefender* - GP name: *DisableAntiSpywareDefender*
- GP path: *Windows Components\Microsoft Defender Antivirus* - GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -448,7 +448,7 @@ Same as Disabled.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off Auto Exclusions* - GP Friendly name: *Turn off Auto Exclusions*
- GP name: *DisableAutoExclusions* - GP name: *DisableAutoExclusions*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* - GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -500,7 +500,7 @@ This feature requires these Policy settings to be set as follows:
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure the 'Block at First Sight' feature* - GP Friendly name: *Configure the 'Block at First Sight' feature*
- GP name: *DisableBlockAtFirstSeen* - GP name: *DisableBlockAtFirstSeen*
- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* - GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -546,7 +546,7 @@ If you disable this setting, only items defined by Policy will be used in the re
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local administrator merge behavior for lists* - GP Friendly name: *Configure local administrator merge behavior for lists*
- GP name: *DisableLocalAdminMerge* - GP name: *DisableLocalAdminMerge*
- GP path: *Windows Components\Microsoft Defender Antivirus* - GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -594,7 +594,7 @@ If you disable or do not configure this policy setting, Microsoft Defender Antiv
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off real-time protection* - GP Friendly name: *Turn off real-time protection*
- GP name: *DisableRealtimeMonitoring* - GP name: *DisableRealtimeMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -640,7 +640,7 @@ If you disable or do not configure this policy setting, Microsoft Defender Antiv
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off routine remediation* - GP Friendly name: *Turn off routine remediation*
- GP name: *DisableRoutinelyTakingAction* - GP name: *DisableRoutinelyTakingAction*
- GP path: *Windows Components\Microsoft Defender Antivirus* - GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -682,7 +682,7 @@ This policy setting allows you specify a list of file types that should be exclu
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Extension Exclusions* - GP Friendly name: *Extension Exclusions*
- GP name: *Exclusions_Extensions* - GP name: *Exclusions_Extensions*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* - GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -726,7 +726,7 @@ As an example, a path might be defined as: "c:\Windows" to exclude all files in
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Path Exclusions* - GP Friendly name: *Path Exclusions*
- GP name: *Exclusions_Paths* - GP name: *Exclusions_Paths*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* - GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -768,7 +768,7 @@ This policy setting allows you to disable scheduled and real-time scanning for a
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Process Exclusions* - GP Friendly name: *Process Exclusions*
- GP name: *Exclusions_Processes* - GP name: *Exclusions_Processes*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* - GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -825,7 +825,7 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Exclude files and paths from Attack Surface Reduction Rules* - GP Friendly name: *Exclude files and paths from Attack Surface Reduction Rules*
- GP name: *ExploitGuard_ASR_ASROnlyExclusions* - GP name: *ExploitGuard_ASR_ASROnlyExclusions*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* - GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -898,7 +898,7 @@ You can exclude folders or files in the "Exclude files and paths from Attack Sur
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure Attack Surface Reduction rules* - GP Friendly name: *Configure Attack Surface Reduction rules*
- GP name: *ExploitGuard_ASR_Rules* - GP name: *ExploitGuard_ASR_Rules*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* - GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -957,7 +957,7 @@ Default system folders are automatically guarded, but you can add folders in the
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure allowed applications* - GP Friendly name: *Configure allowed applications*
- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* - GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* - GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1017,7 +1017,7 @@ Microsoft Defender Antivirus automatically determines which applications can be
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure protected folders* - GP Friendly name: *Configure protected folders*
- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* - GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* - GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1068,7 +1068,7 @@ Same as Disabled.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Enable file hash computation feature* - GP Friendly name: *Enable file hash computation feature*
- GP name: *MpEngine_EnableFileHashComputation* - GP name: *MpEngine_EnableFileHashComputation*
- GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine* - GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1114,7 +1114,7 @@ If you disable this setting, definition retirement will be disabled.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on definition retirement* - GP Friendly name: *Turn on definition retirement*
- GP name: *Nis_Consumers_IPS_DisableSignatureRetirement* - GP name: *Nis_Consumers_IPS_DisableSignatureRetirement*
- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* - GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1156,7 +1156,7 @@ This policy setting defines additional definition sets to enable for network tra
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify additional definition sets for network traffic inspection* - GP Friendly name: *Specify additional definition sets for network traffic inspection*
- GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid* - GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid*
- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* - GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1202,7 +1202,7 @@ If you disable this setting, protocol recognition will be disabled.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on protocol recognition* - GP Friendly name: *Turn on protocol recognition*
- GP name: *Nis_DisableProtocolRecognition* - GP name: *Nis_DisableProtocolRecognition*
- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* - GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1248,7 +1248,7 @@ If you disable or do not configure this setting, the proxy server will not be by
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define addresses to bypass proxy server* - GP Friendly name: *Define addresses to bypass proxy server*
- GP name: *ProxyBypass* - GP name: *ProxyBypass*
- GP path: *Windows Components\Microsoft Defender Antivirus* - GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1300,7 +1300,7 @@ If you disable or do not configure this setting, the proxy will skip over this f
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define proxy auto-config (.pac) for connecting to the network* - GP Friendly name: *Define proxy auto-config (.pac) for connecting to the network*
- GP name: *ProxyPacUrl* - GP name: *ProxyPacUrl*
- GP path: *Windows Components\Microsoft Defender Antivirus* - GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1352,7 +1352,7 @@ If you disable or do not configure this setting, the proxy will skip over this f
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define proxy server for connecting to the network* - GP Friendly name: *Define proxy server for connecting to the network*
- GP name: *ProxyServer* - GP name: *ProxyServer*
- GP path: *Windows Components\Microsoft Defender Antivirus* - GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1398,7 +1398,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for the removal of items from Quarantine folder* - GP Friendly name: *Configure local setting override for the removal of items from Quarantine folder*
- GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay* - GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* - GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1444,7 +1444,7 @@ If you disable or do not configure this setting, items will be kept in the quara
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure removal of items from Quarantine folder* - GP Friendly name: *Configure removal of items from Quarantine folder*
- GP name: *Quarantine_PurgeItemsAfterDelay* - GP name: *Quarantine_PurgeItemsAfterDelay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* - GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1490,7 +1490,7 @@ If you disable this setting, scheduled tasks will begin at the specified start t
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Randomize scheduled task times* - GP Friendly name: *Randomize scheduled task times*
- GP name: *RandomizeScheduleTaskTimes* - GP name: *RandomizeScheduleTaskTimes*
- GP path: *Windows Components\Microsoft Defender Antivirus* - GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1536,7 +1536,7 @@ If you disable this setting, behavior monitoring will be disabled.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on behavior monitoring* - GP Friendly name: *Turn on behavior monitoring*
- GP name: *RealtimeProtection_DisableBehaviorMonitoring* - GP name: *RealtimeProtection_DisableBehaviorMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1582,7 +1582,7 @@ If you disable this setting, scanning for all downloaded files and attachments w
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Scan all downloaded files and attachments* - GP Friendly name: *Scan all downloaded files and attachments*
- GP name: *RealtimeProtection_DisableIOAVProtection* - GP name: *RealtimeProtection_DisableIOAVProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1628,7 +1628,7 @@ If you disable this setting, monitoring for file and program activity will be di
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Monitor file and program activity on your computer* - GP Friendly name: *Monitor file and program activity on your computer*
- GP name: *RealtimeProtection_DisableOnAccessProtection* - GP name: *RealtimeProtection_DisableOnAccessProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1674,7 +1674,7 @@ If you disable this setting, raw write notifications be disabled.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on raw volume write notifications* - GP Friendly name: *Turn on raw volume write notifications*
- GP name: *RealtimeProtection_DisableRawWriteNotification* - GP name: *RealtimeProtection_DisableRawWriteNotification*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1720,7 +1720,7 @@ If you disable this setting, a process scan will not be initiated when real-time
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on process scanning whenever real-time protection is enabled* - GP Friendly name: *Turn on process scanning whenever real-time protection is enabled*
- GP name: *RealtimeProtection_DisableScanOnRealtimeEnable* - GP name: *RealtimeProtection_DisableScanOnRealtimeEnable*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1766,7 +1766,7 @@ If you disable or do not configure this setting, a default size will be applied.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define the maximum size of downloaded files and attachments to be scanned* - GP Friendly name: *Define the maximum size of downloaded files and attachments to be scanned*
- GP name: *RealtimeProtection_IOAVMaxSize* - GP name: *RealtimeProtection_IOAVMaxSize*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1812,7 +1812,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for turn on behavior monitoring* - GP Friendly name: *Configure local setting override for turn on behavior monitoring*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring* - GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1858,7 +1858,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for scanning all downloaded files and attachments* - GP Friendly name: *Configure local setting override for scanning all downloaded files and attachments*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection* - GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1904,7 +1904,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for monitoring file and program activity on your computer* - GP Friendly name: *Configure local setting override for monitoring file and program activity on your computer*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection* - GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1950,7 +1950,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override to turn on real-time protection* - GP Friendly name: *Configure local setting override to turn on real-time protection*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring* - GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -1996,7 +1996,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for monitoring for incoming and outgoing file activity* - GP Friendly name: *Configure local setting override for monitoring for incoming and outgoing file activity*
- GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection* - GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* - GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2042,7 +2042,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation* - GP Friendly name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation*
- GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime* - GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* - GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2100,7 +2100,7 @@ If you disable or do not configure this setting, a scheduled full scan to comple
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify the day of the week to run a scheduled full scan to complete remediation* - GP Friendly name: *Specify the day of the week to run a scheduled full scan to complete remediation*
- GP name: *Remediation_Scan_ScheduleDay* - GP name: *Remediation_Scan_ScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* - GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2146,7 +2146,7 @@ If you disable or do not configure this setting, a scheduled full scan to comple
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify the time of day to run a scheduled full scan to complete remediation* - GP Friendly name: *Specify the time of day to run a scheduled full scan to complete remediation*
- GP name: *Remediation_Scan_ScheduleTime* - GP name: *Remediation_Scan_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* - GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2188,7 +2188,7 @@ This policy setting configures the time in minutes before a detection in the "ad
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure time out for detections requiring additional action* - GP Friendly name: *Configure time out for detections requiring additional action*
- GP name: *Reporting_AdditionalActionTimeout* - GP name: *Reporting_AdditionalActionTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* - GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2230,7 +2230,7 @@ This policy setting configures the time in minutes before a detection in the “
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure time out for detections in critically failed state* - GP Friendly name: *Configure time out for detections in critically failed state*
- GP name: *Reporting_CriticalFailureTimeout* - GP name: *Reporting_CriticalFailureTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* - GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2276,7 +2276,7 @@ If you enable this setting, Microsoft Defender Antivirus enhanced notifications
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn off enhanced notifications* - GP Friendly name: *Turn off enhanced notifications*
- GP name: *Reporting_DisableEnhancedNotifications* - GP name: *Reporting_DisableEnhancedNotifications*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* - GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2321,7 +2321,7 @@ If you disable this setting, Watson events will not be sent.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure Watson events* - GP Friendly name: *Configure Watson events*
- GP name: *Reporting_Disablegenericreports* - GP name: *Reporting_Disablegenericreports*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* - GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2363,7 +2363,7 @@ This policy setting configures the time in minutes before a detection in the "no
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure time out for detections in non-critical failed state* - GP Friendly name: *Configure time out for detections in non-critical failed state*
- GP name: *Reporting_NonCriticalTimeout* - GP name: *Reporting_NonCriticalTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* - GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2403,7 +2403,7 @@ This policy setting configures the time in minutes before a detection in the "co
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure time out for detections in recently remediated state* - GP Friendly name: *Configure time out for detections in recently remediated state*
- GP name: *Reporting_RecentlyCleanedTimeout* - GP name: *Reporting_RecentlyCleanedTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* - GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2445,7 +2445,7 @@ This policy configures Windows software trace preprocessor (WPP Software Tracing
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure Windows software trace preprocessor components* - GP Friendly name: *Configure Windows software trace preprocessor components*
- GP name: *Reporting_WppTracingComponents* - GP name: *Reporting_WppTracingComponents*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* - GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2494,7 +2494,7 @@ Tracing levels are defined as:
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure WPP tracing level* - GP Friendly name: *Configure WPP tracing level*
- GP name: *Reporting_WppTracingLevel* - GP name: *Reporting_WppTracingLevel*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* - GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2540,7 +2540,7 @@ If you disable this setting, users will not be able to pause scans.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow users to pause scan* - GP Friendly name: *Allow users to pause scan*
- GP name: *Scan_AllowPause* - GP name: *Scan_AllowPause*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2586,7 +2586,7 @@ If you disable or do not configure this setting, archive files will be scanned t
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify the maximum depth to scan archive files* - GP Friendly name: *Specify the maximum depth to scan archive files*
- GP name: *Scan_ArchiveMaxDepth* - GP name: *Scan_ArchiveMaxDepth*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2632,7 +2632,7 @@ If you disable or do not configure this setting, archive files will be scanned a
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify the maximum size of archive files to be scanned* - GP Friendly name: *Specify the maximum size of archive files to be scanned*
- GP name: *Scan_ArchiveMaxSize* - GP name: *Scan_ArchiveMaxSize*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2679,7 +2679,7 @@ If you disable this setting, archive files will not be scanned.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Scan archive files* - GP Friendly name: *Scan archive files*
- GP name: *Scan_DisableArchiveScanning* - GP name: *Scan_DisableArchiveScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2725,7 +2725,7 @@ If you disable or do not configure this setting, e-mail scanning will be disable
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on e-mail scanning* - GP Friendly name: *Turn on e-mail scanning*
- GP name: *Scan_DisableEmailScanning* - GP name: *Scan_DisableEmailScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2771,7 +2771,7 @@ If you disable this setting, heuristics will be disabled.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on heuristics* - GP Friendly name: *Turn on heuristics*
- GP name: *Scan_DisableHeuristics* - GP name: *Scan_DisableHeuristics*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2817,7 +2817,7 @@ If you disable this setting, packed executables will not be scanned.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Scan packed executables* - GP Friendly name: *Scan packed executables*
- GP name: *Scan_DisablePackedExeScanning* - GP name: *Scan_DisablePackedExeScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2863,7 +2863,7 @@ If you disable or do not configure this setting, removable drives will not be sc
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Scan removable drives* - GP Friendly name: *Scan removable drives*
- GP name: *Scan_DisableRemovableDriveScanning* - GP name: *Scan_DisableRemovableDriveScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2909,7 +2909,7 @@ If you disable or do not configure this setting, reparse point scanning will be
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on reparse point scanning* - GP Friendly name: *Turn on reparse point scanning*
- GP name: *Scan_DisableReparsePointScanning* - GP name: *Scan_DisableReparsePointScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -2955,7 +2955,7 @@ If you disable or do not configure this setting, a system restore point will not
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Create a system restore point* - GP Friendly name: *Create a system restore point*
- GP name: *Scan_DisableRestorePoint* - GP name: *Scan_DisableRestorePoint*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3000,7 +3000,7 @@ If you disable or do not configure this setting, mapped network drives will not
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Run full scan on mapped network drives* - GP Friendly name: *Run full scan on mapped network drives*
- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* - GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3046,7 +3046,7 @@ If you disable or do not configure this setting, network files will not be scann
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Scan network files* - GP Friendly name: *Scan network files*
- GP name: *Scan_DisableScanningNetworkFiles* - GP name: *Scan_DisableScanningNetworkFiles*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3092,7 +3092,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for maximum percentage of CPU utilization* - GP Friendly name: *Configure local setting override for maximum percentage of CPU utilization*
- GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor* - GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3138,7 +3138,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for the scan type to use for a scheduled scan* - GP Friendly name: *Configure local setting override for the scan type to use for a scheduled scan*
- GP name: *Scan_LocalSettingOverrideScanParameters* - GP name: *Scan_LocalSettingOverrideScanParameters*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3184,7 +3184,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for schedule scan day* - GP Friendly name: *Configure local setting override for schedule scan day*
- GP name: *Scan_LocalSettingOverrideScheduleDay* - GP name: *Scan_LocalSettingOverrideScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3230,7 +3230,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for scheduled quick scan time* - GP Friendly name: *Configure local setting override for scheduled quick scan time*
- GP name: *Scan_LocalSettingOverrideScheduleQuickScantime* - GP name: *Scan_LocalSettingOverrideScheduleQuickScantime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3276,7 +3276,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for scheduled scan time* - GP Friendly name: *Configure local setting override for scheduled scan time*
- GP name: *Scan_LocalSettingOverrideScheduleTime* - GP name: *Scan_LocalSettingOverrideScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3322,7 +3322,7 @@ If you disable or do not configure this setting, not changes will be made to CPU
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure low CPU priority for scheduled scans* - GP Friendly name: *Configure low CPU priority for scheduled scans*
- GP name: *Scan_LowCpuPriority* - GP name: *Scan_LowCpuPriority*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3368,7 +3368,7 @@ If you disable or do not configure this setting, a catch-up scan will occur afte
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define the number of days after which a catch-up scan is forced* - GP Friendly name: *Define the number of days after which a catch-up scan is forced*
- GP name: *Scan_MissedScheduledScanCountBeforeCatchup* - GP name: *Scan_MissedScheduledScanCountBeforeCatchup*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3414,7 +3414,7 @@ If you disable or do not configure this setting, items will be kept in the scan
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on removal of items from scan history folder* - GP Friendly name: *Turn on removal of items from scan history folder*
- GP name: *Scan_PurgeItemsAfterDelay* - GP name: *Scan_PurgeItemsAfterDelay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3460,7 +3460,7 @@ If you disable or do not configure this setting, a quick scan will run at a defa
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify the interval to run quick scans per day* - GP Friendly name: *Specify the interval to run quick scans per day*
- GP name: *Scan_QuickScanInterval* - GP name: *Scan_QuickScanInterval*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3506,7 +3506,7 @@ If you disable this setting, scheduled scans will run at the scheduled time.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Start the scheduled scan only when computer is on but not in use* - GP Friendly name: *Start the scheduled scan only when computer is on but not in use*
- GP name: *Scan_ScanOnlyIfIdle* - GP name: *Scan_ScanOnlyIfIdle*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3564,7 +3564,7 @@ If you disable or do not configure this setting, a scheduled scan will run at a
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify the day of the week to run a scheduled scan* - GP Friendly name: *Specify the day of the week to run a scheduled scan*
- GP name: *Scan_ScheduleDay* - GP name: *Scan_ScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3610,7 +3610,7 @@ If you disable or do not configure this setting, a scheduled scan will run at a
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify the time of day to run a scheduled scan* - GP Friendly name: *Specify the time of day to run a scheduled scan*
- GP name: *Scan_ScheduleTime* - GP name: *Scan_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* - GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3656,7 +3656,7 @@ If you disable or do not configure this setting, the antimalware service will be
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow antimalware service to remain running always* - GP Friendly name: *Allow antimalware service to remain running always*
- GP name: *ServiceKeepAlive* - GP name: *ServiceKeepAlive*
- GP path: *Windows Components\Microsoft Defender Antivirus* - GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3704,7 +3704,7 @@ If you disable or do not configure this setting, spyware security intelligence w
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define the number of days before spyware security intelligence is considered out of date* - GP Friendly name: *Define the number of days before spyware security intelligence is considered out of date*
- GP name: *SignatureUpdate_ASSignatureDue* - GP name: *SignatureUpdate_ASSignatureDue*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3750,7 +3750,7 @@ If you disable or do not configure this setting, virus security intelligence wil
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define the number of days before virus security intelligence is considered out of date* - GP Friendly name: *Define the number of days before virus security intelligence is considered out of date*
- GP name: *SignatureUpdate_AVSignatureDue* - GP name: *SignatureUpdate_AVSignatureDue*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3796,7 +3796,7 @@ If you disable or do not configure this setting, the list will remain empty by d
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define file shares for downloading security intelligence updates* - GP Friendly name: *Define file shares for downloading security intelligence updates*
- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* - GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3842,7 +3842,7 @@ If you disable this setting, a scan will not start following a security intellig
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn on scan after security intelligence update* - GP Friendly name: *Turn on scan after security intelligence update*
- GP name: *SignatureUpdate_DisableScanOnUpdate* - GP name: *SignatureUpdate_DisableScanOnUpdate*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3888,7 +3888,7 @@ If you disable this setting, security intelligence updates will be turned off wh
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow security intelligence updates when running on battery power* - GP Friendly name: *Allow security intelligence updates when running on battery power*
- GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery* - GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3934,7 +3934,7 @@ If you disable this setting, security intelligence updates will not be initiated
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Initiate security intelligence update on startup* - GP Friendly name: *Initiate security intelligence update on startup*
- GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine* - GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -3982,7 +3982,7 @@ If you disable or do not configure this setting, security intelligence update so
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define the order of sources for downloading security intelligence updates* - GP Friendly name: *Define the order of sources for downloading security intelligence updates*
- GP name: *SignatureUpdate_FallbackOrder* - GP name: *SignatureUpdate_FallbackOrder*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4028,7 +4028,7 @@ If you disable or do not configure this setting, security intelligence updates w
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow security intelligence updates from Microsoft Update* - GP Friendly name: *Allow security intelligence updates from Microsoft Update*
- GP name: *SignatureUpdate_ForceUpdateFromMU* - GP name: *SignatureUpdate_ForceUpdateFromMU*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4074,7 +4074,7 @@ If you disable this setting, real-time security intelligence updates will disabl
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS* - GP Friendly name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS*
- GP name: *SignatureUpdate_RealtimeSignatureDelivery* - GP name: *SignatureUpdate_RealtimeSignatureDelivery*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4132,7 +4132,7 @@ If you disable or do not configure this setting, the check for security intellig
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify the day of the week to check for security intelligence updates* - GP Friendly name: *Specify the day of the week to check for security intelligence updates*
- GP name: *SignatureUpdate_ScheduleDay* - GP name: *SignatureUpdate_ScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4178,7 +4178,7 @@ If you disable or do not configure this setting, the check for security intelli
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify the time to check for security intelligence updates* - GP Friendly name: *Specify the time to check for security intelligence updates*
- GP name: *SignatureUpdate_ScheduleTime* - GP name: *SignatureUpdate_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4222,7 +4222,7 @@ If you disable or do not configure this setting, security intelligence will be r
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define security intelligence location for VDI clients.* - GP Friendly name: *Define security intelligence location for VDI clients.*
- GP name: *SignatureUpdate_SharedSignaturesLocation* - GP name: *SignatureUpdate_SharedSignaturesLocation*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4268,7 +4268,7 @@ If you disable this setting, the antimalware service will not receive notificati
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS* - GP Friendly name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS*
- GP name: *SignatureUpdate_SignatureDisableNotification* - GP name: *SignatureUpdate_SignatureDisableNotification*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4314,7 +4314,7 @@ If you disable or do not configure this setting, a catch-up security intelligenc
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Define the number of days after which a catch-up security intelligence update is required* - GP Friendly name: *Define the number of days after which a catch-up security intelligence update is required*
- GP name: *SignatureUpdate_SignatureUpdateCatchupInterval* - GP name: *SignatureUpdate_SignatureUpdateCatchupInterval*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4360,7 +4360,7 @@ If you disable this setting or do not configure this setting, a check for new se
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Check for the latest virus and spyware security intelligence on startup* - GP Friendly name: *Check for the latest virus and spyware security intelligence on startup*
- GP name: *SignatureUpdate_UpdateOnStartup* - GP name: *SignatureUpdate_UpdateOnStartup*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* - GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4420,7 +4420,7 @@ In Windows 10, Basic membership is no longer available, so setting the value to
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Join Microsoft MAPS* - GP Friendly name: *Join Microsoft MAPS*
- GP name: *SpynetReporting* - GP name: *SpynetReporting*
- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* - GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4466,7 +4466,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Configure local setting override for reporting to Microsoft MAPS* - GP Friendly name: *Configure local setting override for reporting to Microsoft MAPS*
- GP name: *Spynet_LocalSettingOverrideSpynetReporting* - GP name: *Spynet_LocalSettingOverrideSpynetReporting*
- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* - GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4515,7 +4515,7 @@ Valid remediation action values are:
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify threats upon which default action should not be taken when detected* - GP Friendly name: *Specify threats upon which default action should not be taken when detected*
- GP name: *Threats_ThreatIdDefaultAction* - GP name: *Threats_ThreatIdDefaultAction*
- GP path: *Windows Components\Microsoft Defender Antivirus\Threats* - GP path: *Windows Components\Microsoft Defender Antivirus\Threats*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4561,7 +4561,7 @@ If you disable or do not configure this setting, there will be no additional tex
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Display additional text to clients when they need to perform an action* - GP Friendly name: *Display additional text to clients when they need to perform an action*
- GP name: *UX_Configuration_CustomDefaultActionToastString* - GP name: *UX_Configuration_CustomDefaultActionToastString*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* - GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4607,7 +4607,7 @@ If you enable this setting, Microsoft Defender Antivirus notifications will not
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Suppress all notifications* - GP Friendly name: *Suppress all notifications*
- GP name: *UX_Configuration_Notification_Suppress* - GP name: *UX_Configuration_Notification_Suppress*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* - GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4651,7 +4651,7 @@ If you enable this setting AM UI won't show reboot notifications.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Suppresses reboot notifications* - GP Friendly name: *Suppresses reboot notifications*
- GP name: *UX_Configuration_SuppressRebootNotification* - GP name: *UX_Configuration_SuppressRebootNotification*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* - GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*
@ -4695,7 +4695,7 @@ If you enable this setting AM UI won't be available to users.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Enable headless UI mode* - GP Friendly name: *Enable headless UI mode*
- GP name: *UX_Configuration_UILockdown* - GP name: *UX_Configuration_UILockdown*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* - GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx* - GP ADMX file name: *WindowsDefender.admx*

10
windows/client-management/mdm/policy-csp-admx-mmc.md
View File

@ -93,7 +93,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *ActiveX Control* - GP Friendly name: *ActiveX Control*
- GP name: *MMC_ActiveXControl* - GP name: *MMC_ActiveXControl*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMC.admx* - GP ADMX file name: *MMC.admx*
@ -149,7 +149,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Extended View (Web View)* - GP Friendly name: *Extended View (Web View)*
- GP name: *MMC_ExtendView* - GP name: *MMC_ExtendView*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMC.admx* - GP ADMX file name: *MMC.admx*
@ -205,7 +205,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Link to Web Address* - GP Friendly name: *Link to Web Address*
- GP name: *MMC_LinkToWeb* - GP name: *MMC_LinkToWeb*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMC.admx* - GP ADMX file name: *MMC.admx*
@ -255,7 +255,7 @@ If you disable this setting or do not configure it, users can enter author mode
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Restrict the user from entering author mode* - GP Friendly name: *Restrict the user from entering author mode*
- GP name: *MMC_Restrict_Author* - GP name: *MMC_Restrict_Author*
- GP path: *Windows Components\Microsoft Management Console* - GP path: *Windows Components\Microsoft Management Console*
- GP ADMX file name: *MMC.admx* - GP ADMX file name: *MMC.admx*
@ -310,7 +310,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Restrict users to the explicitly permitted list of snap-ins* - GP Friendly name: *Restrict users to the explicitly permitted list of snap-ins*
- GP name: *MMC_Restrict_To_Permitted_Snapins* - GP name: *MMC_Restrict_To_Permitted_Snapins*
- GP path: *Windows Components\Microsoft Management Console* - GP path: *Windows Components\Microsoft Management Console*
- GP ADMX file name: *MMC.admx* - GP ADMX file name: *MMC.admx*

48
windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
View File

@ -4774,7 +4774,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Security Settings* - GP Friendly name: *Security Settings*
- GP name: *MMC_SecuritySettings_1* - GP name: *MMC_SecuritySettings_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -4828,7 +4828,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Security Settings* - GP Friendly name: *Security Settings*
- GP name: *MMC_SecuritySettings_2* - GP name: *MMC_SecuritySettings_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -4882,7 +4882,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Security Templates* - GP Friendly name: *Security Templates*
- GP name: *MMC_SecurityTemplates* - GP name: *MMC_SecurityTemplates*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -4936,7 +4936,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Send Console Message* - GP Friendly name: *Send Console Message*
- GP name: *MMC_SendConsoleMessage* - GP name: *MMC_SendConsoleMessage*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -4990,7 +4990,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Server Manager* - GP Friendly name: *Server Manager*
- GP name: *MMC_ServerManager* - GP name: *MMC_ServerManager*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5044,7 +5044,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Service Dependencies* - GP Friendly name: *Service Dependencies*
- GP name: *MMC_ServiceDependencies* - GP name: *MMC_ServiceDependencies*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5098,7 +5098,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Services* - GP Friendly name: *Services*
- GP name: *MMC_Services* - GP name: *MMC_Services*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5152,7 +5152,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Shared Folders* - GP Friendly name: *Shared Folders*
- GP name: *MMC_SharedFolders* - GP name: *MMC_SharedFolders*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5206,7 +5206,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Shared Folders Ext* - GP Friendly name: *Shared Folders Ext*
- GP name: *MMC_SharedFolders_Ext* - GP name: *MMC_SharedFolders_Ext*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5260,7 +5260,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Software Installation (Computers)* - GP Friendly name: *Software Installation (Computers)*
- GP name: *MMC_SoftwareInstalationComputers_1* - GP name: *MMC_SoftwareInstalationComputers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5314,7 +5314,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Software Installation (Computers)* - GP Friendly name: *Software Installation (Computers)*
- GP name: *MMC_SoftwareInstalationComputers_2* - GP name: *MMC_SoftwareInstalationComputers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5368,7 +5368,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Software Installation (Users)* - GP Friendly name: *Software Installation (Users)*
- GP name: *MMC_SoftwareInstallationUsers_1* - GP name: *MMC_SoftwareInstallationUsers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5422,7 +5422,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Software Installation (Users)* - GP Friendly name: *Software Installation (Users)*
- GP name: *MMC_SoftwareInstallationUsers_2* - GP name: *MMC_SoftwareInstallationUsers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5476,7 +5476,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *System Information* - GP Friendly name: *System Information*
- GP name: *MMC_SysInfo* - GP name: *MMC_SysInfo*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5530,7 +5530,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *System Properties* - GP Friendly name: *System Properties*
- GP name: *MMC_SysProp* - GP name: *MMC_SysProp*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5584,7 +5584,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *TPM Management* - GP Friendly name: *TPM Management*
- GP name: *MMC_TPMManagement* - GP name: *MMC_TPMManagement*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5638,7 +5638,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Telephony* - GP Friendly name: *Telephony*
- GP name: *MMC_Telephony* - GP name: *MMC_Telephony*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5692,7 +5692,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Remote Desktop Services Configuration* - GP Friendly name: *Remote Desktop Services Configuration*
- GP name: *MMC_TerminalServices* - GP name: *MMC_TerminalServices*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5746,7 +5746,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *WMI Control* - GP Friendly name: *WMI Control*
- GP name: *MMC_WMI* - GP name: *MMC_WMI*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5800,7 +5800,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Windows Firewall with Advanced Security* - GP Friendly name: *Windows Firewall with Advanced Security*
- GP name: *MMC_WindowsFirewall* - GP name: *MMC_WindowsFirewall*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5854,7 +5854,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Windows Firewall with Advanced Security* - GP Friendly name: *Windows Firewall with Advanced Security*
- GP name: *MMC_WindowsFirewall_GP* - GP name: *MMC_WindowsFirewall_GP*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5908,7 +5908,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Wired Network (IEEE 802.3) Policies* - GP Friendly name: *Wired Network (IEEE 802.3) Policies*
- GP name: *MMC_WiredNetworkPolicy* - GP name: *MMC_WiredNetworkPolicy*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -5962,7 +5962,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Wireless Monitor* - GP Friendly name: *Wireless Monitor*
- GP name: *MMC_WirelessMon* - GP name: *MMC_WirelessMon*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*
@ -6016,7 +6016,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Wireless Network (IEEE 802.11) Policies* - GP Friendly name: *Wireless Network (IEEE 802.11) Policies*
- GP name: *MMC_WirelessNetworkPolicy* - GP name: *MMC_WirelessNetworkPolicy*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* - GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx* - GP ADMX file name: *MMCSnapins.admx*

2
windows/client-management/mdm/policy-csp-admx-taskbar.md
View File

@ -1115,5 +1115,5 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
p<!--/Policies--> <!--/Policies-->

4730
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

File diff suppressed because it is too large Load Diff

59
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -20,6 +20,9 @@ manager: dansimp
## ApplicationManagement policies ## ApplicationManagement policies
<dl> <dl>
<dd>
<a href="#applicationmanagement-allowautomaticapparchiving">ApplicationManagement/AllowAutomaticAppArchiving</a>
</dd>
<dd> <dd>
<a href="#applicationmanagement-allowalltrustedapps">ApplicationManagement/AllowAllTrustedApps</a> <a href="#applicationmanagement-allowalltrustedapps">ApplicationManagement/AllowAllTrustedApps</a>
</dd> </dd>
@ -65,6 +68,62 @@ manager: dansimp
</dl> </dl>
<hr/>
<!--Policy-->
<a href="" id="applicationmanagement-allowautomaticapparchiving"></a>**ApplicationManagement/AllowAutomaticAppArchiving**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether the system can archive infrequently used apps.
- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps.
- If you disable this policy setting, then the system will not archive any apps.
If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Allow all trusted apps to install*
- GP name: *AllowAutomaticAppArchiving*
- GP path: *Windows Components/App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Explicit disable.
- 1 - Explicit enable.
- 65535 (default) - Not configured.
<!--/SupportedValues-->
<!--/Policy-->
<hr/> <hr/>
<!--Policy--> <!--Policy-->

2
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -183,7 +183,7 @@ If you do not configure this policy setting, Windows does not call the registere
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Notify antivirus programs when opening attachments* - GP Friendly name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus* - GP name: *AM_CallIOfficeAntiVirus*
- GP path: *Windows Components/Attachment Manager* - GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx* - GP ADMX file name: *AttachmentManager.admx*

52
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -39,6 +39,9 @@ manager: dansimp
<dd> <dd>
<a href="#authentication-configurewebsigninallowedurls">Authentication/ConfigureWebSignInAllowedUrls</a> <a href="#authentication-configurewebsigninallowedurls">Authentication/ConfigureWebSignInAllowedUrls</a>
</dd> </dd>
<dd>
<a href="#authentication-configurewebcamaccessdomainnames">Authentication/ConfigureWebcamAccessDomainNames</a>
</dd>
<dd> <dd>
<a href="#authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a> <a href="#authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
</dd> </dd>
@ -307,6 +310,55 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
**Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". **Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com".
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="authentication-configurewebcamaccessdomainnames"></a>**Authentication/ConfigureWebcamAccessDomainNames**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Specifies the list of domain names that are allowed to access the webcam in Web Sign-in Windows device sign-in scenarios.
Web Sign-in is only supported on Azure AD Joined PCs.
**Example**: If your organization federates to "Contoso IDP" and your Web Sign-in portal at "signinportal.contoso.com" requires webcam access, the policy value should be "contoso.com".
<!--/Description--> <!--/Description-->
<!--SupportedValues--> <!--SupportedValues-->

3
windows/client-management/mdm/policy-csp-browser.md
View File

@ -15,7 +15,8 @@ ms.localizationpriority: medium
# Policy CSP - Browser # Policy CSP - Browser
> [!NOTE] > [!NOTE]
> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). > These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](/deployedge/configure-edge-with-mdm).
<!--Policies--> <!--Policies-->
## Browser policies ## Browser policies

47
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -28,6 +28,9 @@ manager: dansimp
<dd> <dd>
<a href="#devicelock-allowsimpledevicepassword">DeviceLock/AllowSimpleDevicePassword</a> <a href="#devicelock-allowsimpledevicepassword">DeviceLock/AllowSimpleDevicePassword</a>
</dd> </dd>
<dd>
<a href="#devicelock-allowscreentimeoutwhilelockeduserconfig">DeviceLock/AllowScreenTimeoutWhileLockedUserConfig</a>
</dd>
<dd> <dd>
<a href="#devicelock-alphanumericdevicepasswordrequired">DeviceLock/AlphanumericDevicePasswordRequired</a> <a href="#devicelock-alphanumericdevicepasswordrequired">DeviceLock/AlphanumericDevicePasswordRequired</a>
</dd> </dd>
@ -149,9 +152,49 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Blocked
- 1 Allowed
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="devicelock-allowscreentimeoutwhilelockeduserconfig"></a>**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description--> <!--/Description-->
<!--SupportedValues--> <!--SupportedValues-->
The following list shows the supported values: The following list shows the supported values:
@ -537,7 +580,7 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
The following list shows the supported values: The following list shows the supported values:
- An integer X where 0 &lt;= X &lt;= 999. - An integer X where 0 &lt;= X &lt;= 999.
- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." - 0 (default) - No timeout is defined.
<!--/SupportedValues--> <!--/SupportedValues-->
<!--/Policy--> <!--/Policy-->

83
windows/client-management/mdm/policy-csp-eap.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Policy CSP - EAP
description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - EAP
<hr/>
<!--Policies-->
## EAP policies
<dl>
<dd>
<a href="#eap-allowtls1_3">EAP/AllowTLS1_3</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="eap-allowtls1_3"></a>**EAP/AllowTLS1_3**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting is added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *AllowTLS1_3*
- GP name: *AllowTLS1_3*
- GP path: *Windows Components/EAP*
- GP ADMX file name: *EAP.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 Use of TLS version 1.3 is not allowed for authentication.
- 1 (default) Use of TLS version 1.3 is allowed for authentication.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

77
windows/client-management/mdm/policy-csp-experience.md
View File

@ -40,9 +40,15 @@ manager: dansimp
<dd> <dd>
<a href="#experience-allowsaveasofofficefiles">Experience/AllowSaveAsOfOfficeFiles</a> <a href="#experience-allowsaveasofofficefiles">Experience/AllowSaveAsOfOfficeFiles</a>
</dd> </dd>
<dd>
<a href="#experience-allowscreencapture">Experience/AllowScreenCapture</a>
</dd>
<dd> <dd>
<a href="#experience-allowsharingofofficefiles">Experience/AllowSharingOfOfficeFiles</a> <a href="#experience-allowsharingofofficefiles">Experience/AllowSharingOfOfficeFiles</a>
</dd> </dd>
<dd>
<a href="#experience-allowsimerrordialogpromptwhennosim">Experience/AllowSIMErrorDialogPromptWhenNoSIM</a>
</dd>
<dd> <dd>
<a href="#experience-allowsyncmysettings">Experience/AllowSyncMySettings</a> <a href="#experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
</dd> </dd>
@ -362,6 +368,43 @@ This policy is deprecated.
<hr/> <hr/>
<!--Policy-->
<a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
Describe what value are supported in by this policy and meaning of each value is default value.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy--> <!--Policy-->
<a href="" id="experience-allowsharingofofficefiles"></a>**Experience/AllowSharingOfOfficeFiles** <a href="" id="experience-allowsharingofofficefiles"></a>**Experience/AllowSharingOfOfficeFiles**
@ -371,6 +414,40 @@ This policy is deprecated.
<!--/Description--> <!--/Description-->
<!--/Policy--> <!--/Policy-->
<!--Policy-->
<a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
Describes what value are supported in by this policy and meaning of each value is default value.
<!--/SupportedValues-->
<!--/Policy-->
<hr/> <hr/>
<!--Policy--> <!--Policy-->

190
windows/client-management/mdm/policy-csp-humanpresence.md Normal file
View File

@ -0,0 +1,190 @@
---
title: Policy CSP - HumanPresence
description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - HumanPresence
<hr/>
<!--Policies-->
## HumanPresence policies
<dl>
<dd>
<a href="#humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
</dd>
<dd>
<a href="#humanpresence-forceinstantwake">HumanPresence/ForceInstantWake</a>
</dd>
<dd>
<a href="#humanpresence-forcelocktimeout">HumanPresence/ForceLockTimeout</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantlock"></a>**HumanPresence/ForceInstantLock**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether the device can lock when a human presence sensor detects a human.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceInstantLock*
- GP path: *Windows Components/HumanPresence*
- GP ADMX file name: *HumanPresence.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
- Defaults to 0.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantwake"></a>**HumanPresence/ForceInstantWake**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether the device can lock when a human presence sensor detects a human.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceInstantWake*
- GP path: *Windows Components/HumanPresence*
- GP ADMX file name: *HumanPresence.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
- Defaults to 0.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forcelocktimeout"></a>**HumanPresence/ForceLockTimeout**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies at what distance the sensor wakes up when it sees a human in seconds.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceLockTimeout*
- GP path: *Windows Components/HumanPresence*
- GP ADMX file name: *HumanPresence.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Integer value that specifies whether the device can lock when a human presence sensor detects a human.
The following list shows the supported values:
- 120 = 120 seconds
- 30 = 30 seconds
- 10 = 10 seconds
- 0 = DefaultToUserChoice
- Defaults to 0
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

86
windows/client-management/mdm/policy-csp-newsandinterests.md Normal file
View File

@ -0,0 +1,86 @@
---
title: Policy CSP - NewsAndInterests
description: Learn how Policy CSP - NewsandInterests contains a list of news and interests.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - NewsAndInterests
<hr/>
<!--Policies-->
## NewsAndInterests policies
<dl>
<dd>
<a href="#newsandinterests-allownewsandinterests">NewsAndInterests/AllowNewsAndInterests</a>
</dd>
<hr/>
<!--Policy-->
<a href="" id="newsandinterests-allownewsandinterests"></a>**NewsAndInterests/AllowNewsAndInterests**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether to allow the entire widgets experience, including the content on taskbar.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 1 - Default - Allowed
- 0 - Not allowed.
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Specifies whether to allow the entire widgets experience, including the content on taskbar*.
- GP name: *AllowNewsAndInterests*
- GP path: *Network/NewsandInterests*
- GP ADMX file name: *NewsandInterests.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--/Policies-->

4
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -265,7 +265,7 @@ This policy setting determines which Windows Notification Service endpoint will
If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com.
Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also whitelisted from your firewall settings. Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
@ -284,4 +284,4 @@ If the policy is not specified, we will default our connection to client.wns.win
<hr/> <hr/>
<!--/Policies--> <!--/Policies-->

71
windows/client-management/mdm/policy-csp-power.md
View File

@ -14,14 +14,16 @@ manager: dansimp
# Policy CSP - Power # Policy CSP - Power
<hr/> <hr/>
<!--Policies--> <!--Policies-->
## Power policies ## Power policies
<dl> <dl>
<dd>
<a href="#power-allowhibernate">Power/AllowHibernate</a>
</dd>
<dd> <dd>
<a href="#power-allowstandbystateswhensleepingonbattery">Power/AllowStandbyStatesWhenSleepingOnBattery</a> <a href="#power-allowstandbystateswhensleepingonbattery">Power/AllowStandbyStatesWhenSleepingOnBattery</a>
</dd> </dd>
@ -98,6 +100,71 @@ manager: dansimp
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policy-->
<a href="" id="power-allowhibernate"></a>**Power/AllowHibernate**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>No</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Decides if hibernate on the machine is allowed or not*
- GP name: *AllowHibernate*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/> <hr/>
<!--Policy--> <!--Policy-->

135
windows/client-management/mdm/policy-csp-remotedesktop.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Policy CSP - RemoteDesktop
description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - RemoteDesktop
<hr/>
<!--Policies-->
## RemoteDesktop policies
<dl>
<dd>
<a href="#remotedesktop-autosubscription">RemoteDesktop/AutoSubscription</a>
</dd>
<dd>
<a href="#remotedesktop-loadaadcredkeyfromprofile">RemoteDesktop/LoadAadCredKeyFromProfile</a>
</dd>
</dl>
> [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policy-->
<a href="" id="remotedesktop-autosubscription"></a>**RemoteDesktop/AutoSubscription<**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Customize warning messages*
- GP name: *AutoSubscription*
- GP path: *System/Remote Desktop*
- GP ADMX file name: *remotedesktop.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="remotedesktop-loadaadcredkeyfromprofile"></a>**RemoteDesktop/LoadAadCredKeyFromProfile**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Disabled.
- 1 - Enabled.
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow DPAPI cred keys to be loaded from user profiles during logon for AADJ accounts*
- GP name: *LoadAadCredKeyFromProfile*
- GP path: *System/RemoteDesktop*
- GP ADMX file name: *remotedesktop.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

12
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -93,7 +93,7 @@ You can limit the number of users who can connect simultaneously by configuring
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow users to connect remotely by using Remote Desktop Services* - GP Friendly name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS* - GP name: *TS_DISABLE_CONNECTIONS*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections* - GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
- GP ADMX file name: *terminalserver.admx* - GP ADMX file name: *terminalserver.admx*
@ -149,7 +149,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Set client connection encryption level* - GP Friendly name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY* - GP name: *TS_ENCRYPTION_POLICY*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* - GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx* - GP ADMX file name: *terminalserver.admx*
@ -199,7 +199,7 @@ If you do not configure this policy setting, client drive redirection and Clipbo
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not allow drive redirection* - GP Friendly name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M* - GP name: *TS_CLIENT_DRIVE_M*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* - GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
- GP ADMX file name: *terminalserver.admx* - GP ADMX file name: *terminalserver.admx*
@ -245,7 +245,7 @@ If you disable this setting or leave it not configured, the user will be able to
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Do not allow passwords to be saved* - GP Friendly name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2* - GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client* - GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
- GP ADMX file name: *terminalserver.admx* - GP ADMX file name: *terminalserver.admx*
@ -297,7 +297,7 @@ If you do not configure this policy setting, automatic logon is not specified at
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Always prompt for password upon connection* - GP Friendly name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD* - GP name: *TS_PASSWORD*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* - GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx* - GP ADMX file name: *terminalserver.admx*
@ -349,7 +349,7 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Require secure RPC communication* - GP Friendly name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION* - GP name: *TS_RPC_ENCRYPTION*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* - GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx* - GP ADMX file name: *terminalserver.admx*

30
windows/client-management/mdm/policy-csp-remotemanagement.md
View File

@ -114,7 +114,7 @@ If you disable or do not configure this policy setting, the WinRM client does no
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow Basic authentication* - GP Friendly name: *Allow Basic authentication*
- GP name: *AllowBasic_2* - GP name: *AllowBasic_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -160,7 +160,7 @@ If you disable or do not configure this policy setting, the WinRM service does n
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow Basic authentication* - GP Friendly name: *Allow Basic authentication*
- GP name: *AllowBasic_1* - GP name: *AllowBasic_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -206,7 +206,7 @@ If you disable or do not configure this policy setting, the WinRM client does no
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow CredSSP authentication* - GP Friendly name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2* - GP name: *AllowCredSSP_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -252,7 +252,7 @@ If you disable or do not configure this policy setting, the WinRM service does n
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow CredSSP authentication* - GP Friendly name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_1* - GP name: *AllowCredSSP_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -311,7 +311,7 @@ Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FE
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow remote server management through WinRM* - GP Friendly name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig* - GP name: *AllowAutoConfig*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -357,7 +357,7 @@ If you disable or do not configure this policy setting, the WinRM client sends o
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow unencrypted traffic* - GP Friendly name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2* - GP name: *AllowUnencrypted_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -403,7 +403,7 @@ If you disable or do not configure this policy setting, the WinRM client sends o
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow unencrypted traffic* - GP Friendly name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1* - GP name: *AllowUnencrypted_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -449,7 +449,7 @@ If you disable or do not configure this policy setting, the WinRM client uses Di
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Disallow Digest authentication* - GP Friendly name: *Disallow Digest authentication*
- GP name: *DisallowDigest* - GP name: *DisallowDigest*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -495,7 +495,7 @@ If you disable or do not configure this policy setting, the WinRM client uses Ne
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Disallow Negotiate authentication* - GP Friendly name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2* - GP name: *DisallowNegotiate_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -541,7 +541,7 @@ If you disable or do not configure this policy setting, the WinRM service accept
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Disallow Negotiate authentication* - GP Friendly name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_1* - GP name: *DisallowNegotiate_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -589,7 +589,7 @@ If you enable and then disable this policy setting,any values that were previous
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Disallow WinRM from storing RunAs credentials* - GP Friendly name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs* - GP name: *DisableRunAs*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -641,7 +641,7 @@ If HardeningLevel is set to None, all requests are accepted (though they are not
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify channel binding token hardening level* - GP Friendly name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1* - GP name: *CBTHardeningLevel_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -687,7 +687,7 @@ If you disable or do not configure this policy setting and the WinRM client need
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Trusted Hosts* - GP Friendly name: *Trusted Hosts*
- GP name: *TrustedHosts* - GP name: *TrustedHosts*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -737,7 +737,7 @@ A listener might be automatically created on port 80 to ensure backward compatib
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn On Compatibility HTTP Listener* - GP Friendly name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener* - GP name: *HttpCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*
@ -787,7 +787,7 @@ A listener might be automatically created on port 443 to ensure backward compati
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Turn On Compatibility HTTPS Listener* - GP Friendly name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener* - GP name: *HttpsCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx* - GP ADMX file name: *WindowsRemoteManagement.admx*

4
windows/client-management/mdm/policy-csp-remoteprocedurecall.md
View File

@ -78,7 +78,7 @@ Note: This policy will not be applied until the system is rebooted.
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Enable RPC Endpoint Mapper Client Authentication* - GP Friendly name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution* - GP name: *RpcEnableAuthEpResolution*
- GP path: *System/Remote Procedure Call* - GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx* - GP ADMX file name: *rpc.admx*
@ -137,7 +137,7 @@ If you enable this policy setting, it directs the RPC server runtime to restrict
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Restrict Unauthenticated RPC clients* - GP Friendly name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients* - GP name: *RpcRestrictRemoteClients*
- GP path: *System/Remote Procedure Call* - GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx* - GP ADMX file name: *rpc.admx*

14
windows/client-management/mdm/policy-csp-remoteshell.md
View File

@ -89,7 +89,7 @@ If you set this policy to disabled, new remote shell connections are rejec
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Allow Remote Shell Access* - GP Friendly name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess* - GP name: *AllowRemoteShellAccess*
- GP path: *Windows Components/Windows Remote Shell* - GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx* - GP ADMX file name: *WindowsRemoteShell.admx*
@ -137,7 +137,7 @@ If you disable or do not configure this policy setting, the default number is fi
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *MaxConcurrentUsers* - GP Friendly name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers* - GP name: *MaxConcurrentUsers*
- GP path: *Windows Components/Windows Remote Shell* - GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx* - GP ADMX file name: *WindowsRemoteShell.admx*
@ -185,7 +185,7 @@ If you do not configure or disable this policy setting, the default value of 900
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify idle Timeout* - GP Friendly name: *Specify idle Timeout*
- GP name: *IdleTimeout* - GP name: *IdleTimeout*
- GP path: *Windows Components/Windows Remote Shell* - GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx* - GP ADMX file name: *WindowsRemoteShell.admx*
@ -233,7 +233,7 @@ If you disable or do not configure this policy setting, the value 150 is used by
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify maximum amount of memory in MB per Shell* - GP Friendly name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB* - GP name: *MaxMemoryPerShellMB*
- GP path: *Windows Components/Windows Remote Shell* - GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx* - GP ADMX file name: *WindowsRemoteShell.admx*
@ -279,7 +279,7 @@ If you disable or do not configure this policy setting, the limit is five proce
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify maximum number of processes per Shell* - GP Friendly name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell* - GP name: *MaxProcessesPerShell*
- GP path: *Windows Components/Windows Remote Shell* - GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx* - GP ADMX file name: *WindowsRemoteShell.admx*
@ -327,7 +327,7 @@ If you disable or do not configure this policy setting, by default the limit is
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify maximum number of remote shells per user* - GP Friendly name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser* - GP name: *MaxShellsPerUser*
- GP path: *Windows Components/Windows Remote Shell* - GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx* - GP ADMX file name: *WindowsRemoteShell.admx*
@ -369,7 +369,7 @@ This policy setting is deprecated and has no effect when set to any state: Enabl
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Specify Shell Timeout* - GP Friendly name: *Specify Shell Timeout*
- GP name: *ShellTimeOut* - GP name: *ShellTimeOut*
- GP path: *Windows Components/Windows Remote Shell* - GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx* - GP ADMX file name: *WindowsRemoteShell.admx*

50
windows/client-management/mdm/policy-csp-search.md
View File

@ -24,6 +24,9 @@ manager: dansimp
<dd> <dd>
<a href="#search-allowcloudsearch">Search/AllowCloudSearch</a> <a href="#search-allowcloudsearch">Search/AllowCloudSearch</a>
</dd> </dd>
<dd>
<a href="#search-allowcortanainaad">Search/AllowCortanaInAAD</a>
</dd>
<dd> <dd>
<a href="#search-allowfindmyfiles">Search/AllowFindMyFiles</a> <a href="#search-allowfindmyfiles">Search/AllowFindMyFiles</a>
</dd> </dd>
@ -96,7 +99,7 @@ Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Allow Cloud Search* - GP Friendly name: *Allow Cloud Search*
- GP name: *AllowCloudSearch* - GP name: *AllowCloudSearch*
- GP element: *AllowCloudSearch_Dropdown* - GP element: *AllowCloudSearch_Dropdown*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
@ -115,6 +118,7 @@ The following list shows the supported values:
<hr/> <hr/>
<!--Policy--> <!--Policy-->
<a href="" id="search-allowcortanainaad"></a>**Search/AllowCortanaInAAD**
<!--SupportedSKUs--> <!--SupportedSKUs-->
@ -137,6 +141,30 @@ The following list shows the supported values:
<hr/> <hr/>
<!--/Scope-->
<!--Description-->
This policy allows the cortana opt-in page during windows setup out of the box experience.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Allow Cloud Search*
- GP name: *AllowCortanaInAAD*
- GP element: *AllowCloudSearch_Dropdown*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy--> <!--Policy-->
<a href="" id="search-allowfindmyfiles"></a>**Search/AllowFindMyFiles** <a href="" id="search-allowfindmyfiles"></a>**Search/AllowFindMyFiles**
@ -168,7 +196,7 @@ Controls if the user can configure search to Find My Files mode, which searches
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Allow Find My Files* - GP Friendly name: *Allow Find My Files*
- GP name: *AllowFindMyFiles* - GP name: *AllowFindMyFiles*
- GP path: *Computer Configuration/Administrative Templates/Windows Components/Search* - GP path: *Computer Configuration/Administrative Templates/Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*
@ -228,7 +256,7 @@ Most restricted value is 0.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Allow indexing of encrypted files* - GP Friendly name: *Allow indexing of encrypted files*
- GP name: *AllowIndexingEncryptedStoresOrItems* - GP name: *AllowIndexingEncryptedStoresOrItems*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*
@ -278,7 +306,7 @@ Most restricted value is 0.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Allow search and Cortana to use location* - GP Friendly name: *Allow search and Cortana to use location*
- GP name: *AllowSearchToUseLocation* - GP name: *AllowSearchToUseLocation*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*
@ -340,7 +368,7 @@ Most restricted value is 0.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Allow use of diacritics* - GP Friendly name: *Allow use of diacritics*
- GP name: *AllowUsingDiacritics* - GP name: *AllowUsingDiacritics*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*
@ -424,7 +452,7 @@ Most restricted value is 0.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Always use automatic language detection when indexing content and properties* - GP Friendly name: *Always use automatic language detection when indexing content and properties*
- GP name: *AlwaysUseAutoLangDetection* - GP name: *AlwaysUseAutoLangDetection*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*
@ -472,7 +500,7 @@ If enabled, the search indexer backoff feature will be disabled. Indexing will c
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Disable indexer backoff* - GP Friendly name: *Disable indexer backoff*
- GP name: *DisableBackoff* - GP name: *DisableBackoff*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*
@ -524,7 +552,7 @@ If you disable or do not configure this policy setting, locations on removable d
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Do not allow locations on removable drives to be added to libraries* - GP Friendly name: *Do not allow locations on removable drives to be added to libraries*
- GP name: *DisableRemovableDriveIndexing* - GP name: *DisableRemovableDriveIndexing*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*
@ -577,7 +605,7 @@ If you disable this policy setting, queries will be performed on the web and web
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Don't search the web or display web results in Search* - GP Friendly name: *Don't search the web or display web results in Search*
- GP name: *DoNotUseWebResults* - GP name: *DoNotUseWebResults*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*
@ -629,7 +657,7 @@ When this policy is disabled or not configured, Windows Desktop Search automatic
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Stop indexing in the event of limited hard drive space* - GP Friendly name: *Stop indexing in the event of limited hard drive space*
- GP name: *StopIndexingOnLimitedHardDriveSpace* - GP name: *StopIndexingOnLimitedHardDriveSpace*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*
@ -677,7 +705,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Prevent clients from querying the index remotely* - GP Friendly name: *Prevent clients from querying the index remotely*
- GP name: *PreventRemoteQueries* - GP name: *PreventRemoteQueries*
- GP path: *Windows Components/Search* - GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx* - GP ADMX file name: *Search.admx*

2
windows/client-management/mdm/policy-csp-security.md
View File

@ -190,7 +190,7 @@ Admin access is required. The prompt will appear on first admin logon after a re
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
- GP English name: *Configure the system to clear the TPM if it is not in a ready state.* - GP Friendly name: *Configure the system to clear the TPM if it is not in a ready state.*
- GP name: *ClearTPMIfNotReady_Name* - GP name: *ClearTPMIfNotReady_Name*
- GP path: *System/Trusted Platform Module Services* - GP path: *System/Trusted Platform Module Services*
- GP ADMX file name: *TPM.admx* - GP ADMX file name: *TPM.admx*

2
windows/client-management/mdm/policy-csp-servicecontrolmanager.md
View File

@ -75,7 +75,7 @@ If you disable or do not configure this policy setting, the stricter security se
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP English name: *Enable svchost.exe mitigation options* - GP Friendly name: *Enable svchost.exe mitigation options*
- GP name: *SvchostProcessMitigationEnable* - GP name: *SvchostProcessMitigationEnable*
- GP path: *System/Service Control Manager Settings/Security Settings* - GP path: *System/Service Control Manager Settings/Security Settings*
- GP ADMX file name: *ServiceControlManager.admx* - GP ADMX file name: *ServiceControlManager.admx*

136
windows/client-management/mdm/policy-csp-start.md
View File

@ -51,6 +51,9 @@ manager: dansimp
<dd> <dd>
<a href="#start-allowpinnedfoldervideos">Start/AllowPinnedFolderVideos</a> <a href="#start-allowpinnedfoldervideos">Start/AllowPinnedFolderVideos</a>
</dd> </dd>
<dd>
<a href="#start-configurestartpins">Start/ConfigureStartPins</a>
</dd>
<dd> <dd>
<a href="#start-disablecontextmenus">Start/DisableContextMenus</a> <a href="#start-disablecontextmenus">Start/DisableContextMenus</a>
</dd> </dd>
@ -108,6 +111,9 @@ manager: dansimp
<dd> <dd>
<a href="#start-nopinningtotaskbar">Start/NoPinningToTaskbar</a> <a href="#start-nopinningtotaskbar">Start/NoPinningToTaskbar</a>
</dd> </dd>
<dd>
<a href="#start-showorhidemostusedapps">Start/ShowOrHideMostUsedApps</a>
</dd>
<dd> <dd>
<a href="#start-startlayout">Start/StartLayout</a> <a href="#start-startlayout">Start/StartLayout</a>
</dd> </dd>
@ -526,6 +532,67 @@ The following list shows the supported values:
<hr/> <hr/>
<!--Policy-->
<a href="" id="start-configurestartpins"></a>**Start/ConfigureStartPins**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy will allow admins to push a new list of pinned apps to override the default/current list of pinned apps in the Windows 11 start menu experience.
It contains details on how to configure the start menu on Windows 11, see [/windows-hardware/customize/desktop/customize-the-windows-11-start-menu](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu)
<!--/Description-->
<!--SupportedValues-->
This string policy will take a JSON file (expected name LayoutModification.json), which enumerates the items to pin and their relative order.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy--> <!--Policy-->
<a href="" id="start-disablecontextmenus"></a>**Start/DisableContextMenus** <a href="" id="start-disablecontextmenus"></a>**Start/DisableContextMenus**
@ -1498,6 +1565,75 @@ To validate on Desktop, do the following:
<hr/> <hr/>
<!--Policy-->
<a href="" id="start-showorhidemostusedapps"></a>**Start/ShowOrHideMostUsedApps**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 1 - Force showing of Most Used Apps in Start Menu, user cannot change in Settings
- 0 - Force hiding of Most Used Apps in Start Menu, user cannot change in Settings
- Not set - User can use Settings to hide or show Most Used Apps in Start Menu
On clean install, the user setting defaults to "hide".
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy--> <!--Policy-->
<a href="" id="start-startlayout"></a>**Start/StartLayout** <a href="" id="start-startlayout"></a>**Start/StartLayout**

259
windows/client-management/mdm/policy-csp-storage.md
View File

@ -48,6 +48,18 @@ manager: dansimp
<dd> <dd>
<a href="#storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a> <a href="#storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a>
</dd> </dd>
<dd>
<a href="#storage-wpddevicesdenyreadaccessperdevice">Storage/WPDDevicesDenyReadAccessPerDevice</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenyreadaccessperuser">Storage/WPDDevicesDenyReadAccessPerUser</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenywriteaccessperdevice">Storage/WPDDevicesDenyWriteAccessPerDevice</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenywriteaccessperuser">Storage/WPDDevicesDenyWriteAccessPerUser</a>
</dd>
</dl> </dl>
@ -566,5 +578,252 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenyreadaccessperdevice"></a>**Storage/WPDDevicesDenyReadAccessPerDevice**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny read access*
- GP name: *WPDDevices_DenyRead_Access_2*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenyreadaccessperuser"></a>**Storage/WPDDevicesDenyReadAccessPerUser**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny read access*
- GP name: *WPDDevices_DenyRead_Access_1*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenywriteaccessperdevice"></a>**Storage/WPDDevicesDenyWriteAccessPerDevice**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny write access*
- GP name: *WPDDevices_DenyWrite_Access_2*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenywriteaccessperuser"></a>**Storage/WPDDevicesDenyWriteAccessPerUser**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny write access*
- GP name: *WPDDevices_DenyWrite_Access_1*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--/Policies--> <!--/Policies-->

836
windows/client-management/mdm/policy-csp-update.md
View File

File diff suppressed because it is too large Load Diff

10
windows/client-management/mdm/toc.yml
View File

@ -149,8 +149,6 @@ items:
items: items:
- name: BitLocker DDF file - name: BitLocker DDF file
href: bitlocker-ddf-file.md href: bitlocker-ddf-file.md
- name: BrowserFavorite CSP
href: browserfavorite-csp.md
- name: CellularSettings CSP - name: CellularSettings CSP
href: cellularsettings-csp.md href: cellularsettings-csp.md
- name: CertificateStore CSP - name: CertificateStore CSP
@ -701,6 +699,8 @@ items:
href: policy-csp-display.md href: policy-csp-display.md
- name: DmaGuard - name: DmaGuard
href: policy-csp-dmaguard.md href: policy-csp-dmaguard.md
- name: EAP
href: policy-csp-eap.md
- name: Education - name: Education
href: policy-csp-education.md href: policy-csp-education.md
- name: EnterpriseCloudPrint - name: EnterpriseCloudPrint
@ -721,6 +721,8 @@ items:
href: policy-csp-games.md href: policy-csp-games.md
- name: Handwriting - name: Handwriting
href: policy-csp-handwriting.md href: policy-csp-handwriting.md
- name: HumanPresence
href: policy-csp-humanpresence.md
- name: InternetExplorer - name: InternetExplorer
href: policy-csp-internetexplorer.md href: policy-csp-internetexplorer.md
- name: Kerberos - name: Kerberos
@ -753,6 +755,8 @@ items:
href: policy-csp-networkisolation.md href: policy-csp-networkisolation.md
- name: NetworkListManager - name: NetworkListManager
href: policy-csp-networklistmanager.md href: policy-csp-networklistmanager.md
- name: NewsAndInterests
href: policy-csp-newsandinterests.md
- name: Notifications - name: Notifications
href: policy-csp-notifications.md href: policy-csp-notifications.md
- name: Power - name: Power
@ -763,6 +767,8 @@ items:
href: policy-csp-privacy.md href: policy-csp-privacy.md
- name: RemoteAssistance - name: RemoteAssistance
href: policy-csp-remoteassistance.md href: policy-csp-remoteassistance.md
- name: RemoteDesktop
href: policy-csp-remotedesktop.md
- name: RemoteDesktopServices - name: RemoteDesktopServices
href: policy-csp-remotedesktopservices.md href: policy-csp-remotedesktopservices.md
- name: RemoteManagement - name: RemoteManagement

22
windows/client-management/mdm/w4-application-csp.md
View File

@ -19,11 +19,12 @@ Use an **APPLICATION** configuration service provider that has an APPID of w4 to
The default security roles are defined in the root characteristic, and map to each subnode unless specific permission is granted to the subnode. The default security roles are Manager, Operator, and Operator TPS. The default security roles are defined in the root characteristic, and map to each subnode unless specific permission is granted to the subnode. The default security roles are Manager, Operator, and Operator TPS.
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application. > [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application.
The following shows the configuration service provider in tree format as used by OMA Client Provisioning. The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
```console ```cmd
APPLICATION APPLICATION
----APPID ----APPID
----NAME ----NAME
@ -45,11 +46,10 @@ This parameter takes a string value. The possible values to configure the NAME p
- no value specified - no value specified
> **Note**  MDM servers should resend APPLICATION/NAME to DMAcc after an upgrade because this value is displayed in the UI but not saved in Windows Phone 8.1 and cannot be migrated to Windows 10. > [!NOTE]
> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
  If no value is specified, the registry location will default to `<unnamed>`.
If no value is specified, the registry location will default to &lt;unnamed&gt;.
If `Name` is greater than 40 characters, it will be truncated to 40 characters. If `Name` is greater than 40 characters, it will be truncated to 40 characters.
@ -77,13 +77,3 @@ Optional. The maximum authorized size, in KB, for multimedia content. This param
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)
 
 

25
windows/client-management/new-policies-for-windows-10.md
View File

@ -1,6 +1,6 @@
--- ---
title: New policies for Windows 10 (Windows 10) title: New policies for Windows 10 (Windows 10)
description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components. description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components.
ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
@ -20,8 +20,8 @@ ms.topic: reference
**Applies to** **Applies to**
- Windows 10 - Windows 10
- Windows 11 - Windows 11
As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference". As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference".
@ -57,7 +57,7 @@ The following Group Policy settings were added in Windows 10, version 1903:
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections - Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections
- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot - Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
## New Group Policy settings in Windows 10, version 1809 ## New Group Policy settings in Windows 10, version 1809
The following Group Policy settings were added in Windows 10, version 1809: The following Group Policy settings were added in Windows 10, version 1809:
@ -242,7 +242,7 @@ The following Group Policy settings were added in Windows 10, version 1809:
- Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network - Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network
## New Group Policy settings in Windows 10, version 1803 ## New Group Policy settings in Windows 10, version 1803
The following Group Policy settings were added in Windows 10, version 1803: The following Group Policy settings were added in Windows 10, version 1803:
@ -282,7 +282,7 @@ The following Group Policy settings were added in Windows 10, version 1803:
- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area - Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area
## New Group Policy settings in Windows 10, version 1709 ## New Group Policy settings in Windows 10, version 1709
The following Group Policy settings were added in Windows 10, version 1709: The following Group Policy settings were added in Windows 10, version 1709:
@ -351,7 +351,7 @@ The following Group Policy settings were added in Windows 10, version 1709:
- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update - Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update
## New Group Policy settings in Windows 10, version 1703 ## New Group Policy settings in Windows 10, version 1703
The following Group Policy settings were added in Windows 10, version 1703: The following Group Policy settings were added in Windows 10, version 1703:
@ -481,10 +481,9 @@ For a spreadsheet of Group Policy settings included in Windows 10 and Windows Se
## New MDM policies ## New MDM policies
Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education include previous Windows Phone settings, and new or enhanced settings for Windows 10, such as:
Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education includes settings from Windows Phone 8.1, plus new or enhanced settings for Windows 10, such as: - Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
- Enhanced Bluetooth policies - Enhanced Bluetooth policies
@ -508,7 +507,7 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and
Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md). Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md).
If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317). If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference. No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference.
@ -519,7 +518,3 @@ No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-e
[Manage corporate devices](manage-corporate-devices.md) [Manage corporate devices](manage-corporate-devices.md)
[Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10)
 

3
windows/client-management/quick-assist.md
View File

@ -19,6 +19,9 @@ Quick Assist is a Windows application that enables a person to share their devic
All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesnt have to authenticate. All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesnt have to authenticate.
> [!NOTE]
> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
### Authentication ### Authentication
The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time. The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time.

40
windows/configuration/manage-wifi-sense-in-enterprise.md
View File

@ -19,26 +19,28 @@ ms.topic: article
**Applies to** **Applies to**
- Windows 10 version 1709 and older - Windows 10 version 1709 and older
>[!IMPORTANT] > [!IMPORTANT]
>Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details. > Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
Wi-Fi Sense learns about open Wi-Fi hotspots your Windows PC or Windows phone connects to by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When youre in range of one of these Wi-Fi hotspots, you automatically get connected to it. Wi-Fi Sense learns about open Wi-Fi hotspots your Windows device by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When youre in range of one of these Wi-Fi hotspots, you automatically get connected to it.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your device with Windows 10.
**Note**<br>Wi-Fi Sense isnt available in all countries or regions. > [!NOTE]
> >Wi-Fi Sense isnt available in all countries or regions.
## How does Wi-Fi Sense work? ## How does Wi-Fi Sense work?
Wi-Fi Sense connects your employees to open Wi-Fi networks. Typically, these are the open (no password required) Wi-Fi hotspots you see when youre out and about. Wi-Fi Sense connects your employees to open Wi-Fi networks. Typically, these are the open (no password required) Wi-Fi hotspots you see when youre out and about.
## How to manage Wi-Fi Sense in your company ## How to manage Wi-Fi Sense in your company
In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense. In a company environment, you will most likely deploy Windows 10 to your employees' devices using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense.
**Important**<br>Turning off Wi-Fi Sense stops employees from connecting automatically to open hotspots. > [!IMPORTANT]
> Turning off Wi-Fi Sense stops employees from connecting automatically to open hotspots.
### Using Group Policy (available starting with Windows 10, version 1511) ### Using Group Policy (available starting with Windows 10, version 1511)
You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor. You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor.
**To set up Wi-Fi Sense using Group Policy** **To set up Wi-Fi Sense using Group Policy**
@ -57,7 +59,8 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry
1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\` 1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\`
2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**. 2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
<p>Setting this value to <strong>0</strong> turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the <strong>Wi-Fi Settings</strong> screen, but can&#39;t be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see <a href="/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service" data-raw-source="[How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service)">How to configure Wi-Fi Sense on Windows 10 in an enterprise</a>.
Setting this value to `0` turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see [How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service).
![Registry Editor, showing the creation of a new DWORD value.](images/wifisense-registry.png) ![Registry Editor, showing the creation of a new DWORD value.](images/wifisense-registry.png)
@ -67,7 +70,8 @@ You can manage your Wi-Fi Sense settings by changing the Windows provisioning se
**To set up Wi-Fi Sense using WiFISenseAllowed** **To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**. - Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**.
<p>Setting this value to <strong>0</strong> turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the <strong>Wi-Fi Settings</strong> screen, but can&#39;t be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, <a href="/windows/configuration/wcd/wcd-connectivityprofiles#wifisense" data-raw-source="[WiFiSenseAllowed](./wcd/wcd-connectivityprofiles.md#wifisense)">WiFiSenseAllowed</a>.
Setting this value to `0` turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](./wcd/wcd-connectivityprofiles.md#wifisense).
### Using Unattended Windows Setup settings ### Using Unattended Windows Setup settings
If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**. If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**.
@ -75,24 +79,24 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by
**To set up Wi-Fi Sense using WiFISenseAllowed** **To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**. - Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**.
<p>Setting this value to <strong>0</strong> turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the <strong>Wi-Fi Settings</strong> screen, but can&#39;t be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, <a href="/previous-versions//mt186511(v=vs.85)" data-raw-source="[WiFiSenseAllowed](/previous-versions//mt186511(v=vs.85))">WiFiSenseAllowed</a>.
Setting this value to `0` turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings</strong> screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](/previous-versions//mt186511(v=vs.85)).
### How employees can change their own Wi-Fi Sense settings ### How employees can change their own Wi-Fi Sense settings
If you dont turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**. If you dont turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
![Wi-Fi Sense options shown to employees if it's not turned off.](images/wifisense-settingscreens.png) ![Wi-Fi Sense options shown to employees if it's not turned off.](images/wifisense-settingscreens.png)
**Important**<br>The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means: > [!IMPORTANT]
> The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means:
The **Connect to networks shared by my contacts** setting will still appear in **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings** on your PC and in **Settings &gt; Network & wireless &gt; WiFi &gt; WiFi Sense** on your phone. However, this setting will have no effect now. Regardless of what its set to, networks wont be shared with your contacts. Your contacts wont be connected to networks youve shared with them, and you wont be connected to networks theyve shared with you. The **Connect to networks shared by my contacts** setting will still appear in **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings** on your device. However, this setting will have no effect now. Regardless of what its set to, networks wont be shared with your contacts. Your contacts wont be connected to networks youve shared with them, and you wont be connected to networks theyve shared with you.
Even if you selected **Automatically connect to networks shared by your contacts** when you first set up your Windows 10 device, you still wont be connected to networks your contacts have shared with you. Even if you selected **Automatically connect to networks shared by your contacts** when you first set up your Windows 10 device, you still wont be connected to networks your contacts have shared with you.
If you select the **Share network with my contacts** check box the first time you connect to a new network, the network wont be shared. If you select the **Share network with my contacts** check box the first time you connect to a new network, the network wont be shared.
## Related topics ## Related topics
- [Wi-Fi Sense and Privacy](https://go.microsoft.com/fwlink/p/?LinkId=620911) - [Wi-Fi Sense and Privacy](https://go.microsoft.com/fwlink/p/?LinkId=620911)
- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service) - [How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service)

2
windows/deployment/TOC.yml
View File

@ -167,6 +167,8 @@
href: update/waas-manage-updates-wufb.md href: update/waas-manage-updates-wufb.md
- name: Configure Windows Update for Business - name: Configure Windows Update for Business
href: update/waas-configure-wufb.md href: update/waas-configure-wufb.md
- name: Use Windows Update for Business and WSUS
href: update/wufb-wsus.md
- name: Windows Update for Business deployment service - name: Windows Update for Business deployment service
href: update/deployment-service-overview.md href: update/deployment-service-overview.md
items: items:

5
windows/deployment/deploy-enterprise-licenses.md
View File

@ -255,3 +255,8 @@ At a command prompt, type: **winver**
A popup window will display the Windows 10 version number and detailed OS build information. A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
### Delay in the activation of Enterprise License of Windows 10
This is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device is not eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.

1
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -257,6 +257,5 @@ When you have completed all the steps in this section to prepare for deployment,
**Sample files** **Sample files**
The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell. The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell.
- [Gather.ps1](/samples/browse/?redirectedfrom=TechNet-Gallery). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. - [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.

5
windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
View File

@ -38,9 +38,6 @@ If you have access to Microsoft BitLocker Administration and Monitoring (MBAM),
> [!NOTE] > [!NOTE]
> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511. > Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
>[!NOTE]
>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For more information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
## Configure Active Directory for BitLocker ## Configure Active Directory for BitLocker
@ -170,4 +167,4 @@ In the following task sequence, we added five actions:
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)<br> [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)<br>
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)<br> [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)<br>
[Use web services in MDT](use-web-services-in-mdt.md)<br> [Use web services in MDT](use-web-services-in-mdt.md)<br>
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

2
windows/deployment/mbr-to-gpt.md
View File

@ -12,7 +12,7 @@ ms.author: greglin
ms.date: 02/13/2018 ms.date: 02/13/2018
manager: dougeby manager: dougeby
ms.audience: itpro ms.audience: itpro
ms.localizationpriority: medium ms.localizationpriority: high
ms.topic: article ms.topic: article
ms.custom: seo-marvel-apr2020 ms.custom: seo-marvel-apr2020
ms.collection: highpri ms.collection: highpri

4
windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
View File

@ -149,5 +149,5 @@ sections:
Use the following resources for additional information about Windows 10. Use the following resources for additional information about Windows 10.
- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. - If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10). - If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. - If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home).

4
windows/deployment/s-mode.md
View File

@ -3,7 +3,7 @@ title: Windows 10 Pro in S mode
description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.localizationpriority: medium ms.localizationpriority: high
ms.prod: w10 ms.prod: w10
ms.sitesec: library ms.sitesec: library
ms.pagetype: deploy ms.pagetype: deploy
@ -58,4 +58,4 @@ The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-too
- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode) - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) - [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
- [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) - [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) - [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)

BIN
windows/deployment/update/media/specify-update-type-sources.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 221 KiB

2
windows/deployment/update/servicing-stack-updates.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
audience: itpro audience: itpro
itproauthor: jaimeo itproauthor: jaimeo
author: jaimeo author: jaimeo
ms.localizationpriority: medium ms.localizationpriority: high
ms.author: jaimeo ms.author: jaimeo
manager: dougeby manager: dougeby
ms.collection: ms.collection:

16
windows/deployment/update/waas-delivery-optimization-reference.md
View File

@ -118,10 +118,10 @@ Download mode dictates which download sources clients are allowed to use when do
|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
> [!NOTE] > [!NOTE]
> Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used. > Starting in Windows 11, the Bypass option of Download Mode is no longer used.
>[!NOTE] > [!NOTE]
>When you use AAD tenant, AD Site, or AD Domain as source of group IDs, that the association of devices participating in the group should not be relied on for an authentication of identity of those devices. > When you use AAD tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
### Group ID ### Group ID
@ -178,6 +178,9 @@ This setting specifies the minimum content file size in MB enabled to use Peer C
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of "0" means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of "0" means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
> [!NOTE]
> This is the best option for low bandwidth environments.
### Maximum Foreground Download Bandwidth ### Maximum Foreground Download Bandwidth
Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
@ -190,6 +193,9 @@ Starting in Windows 10, version 1803, specifies the maximum background download
This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
> [!NOTE]
> It is recommended to use the absolute value download option 'Maximum Download Bandwidth', rather than percentage-based options, for low bandwidth environments.
### Max Upload Bandwidth ### Max Upload Bandwidth
This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is "0", or "unlimited" which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is "0", or "unlimited" which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
@ -205,6 +211,8 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**.
### Delay background download from http (in secs) ### Delay background download from http (in secs)
Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
@ -270,4 +278,4 @@ The default value of 0 (zero) means that Delivery Optimization dynamically adjus
Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.

4
windows/deployment/update/waas-delivery-optimization.md
View File

@ -40,6 +40,10 @@ For information about setting up Delivery Optimization, including tips for the b
- New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)." - New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)."
- Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID). - Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID).
> [!NOTE]
> The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](/windows/deployment/update/waas-delivery-optimization-reference).
- Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used. - Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used.
## Requirements ## Requirements

12
windows/deployment/update/windows-update-errors.md
View File

@ -124,7 +124,7 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation | | Message | Description | Mitigation |
|---------|-------------|------------| |---------|-------------|------------|
| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically this is due component store corruption caused when a component is in a partially installed state. | Repair the component store with the **Dism RestoreHealth** command or manually repair with a payload from the partially installed component. From an elevated command prompt, run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. | | CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically this is due component store corruption caused when a component is in a partially installed state. | Repair the component store with the **Dism RestoreHealth** command or manually repair with a payload from the partially installed component. From an elevated command prompt, run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
## 0x800F0920 ## 0x800F0920
@ -136,13 +136,13 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation | | Message | Description | Mitigation |
|---------|-------------|------------| |---------|-------------|------------|
| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair the component store with the **Dism RestoreHealth** command or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. | | CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair the component store with the **Dism RestoreHealth** command or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
## 0x800f0831 ## 0x800f0831
| Message | Description | Mitigation | | Message | Description | Mitigation |
|---------|-------------|------------| |---------|-------------|------------|
| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. | | CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
## 0x80070005 ## 0x80070005
@ -154,7 +154,7 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation | | Message | Description | Mitigation |
|---------|-------------|------------| |---------|-------------|------------|
| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device.| | ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device.|
## 0x80070003 ## 0x80070003
@ -180,7 +180,7 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation | | Message | Description | Mitigation |
|---------|-------------|------------| |---------|-------------|------------|
| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. | | ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
## 0x80072EFE ## 0x80072EFE
@ -198,7 +198,7 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation | | Message | Description | Mitigation |
|---------|-------------|------------| |---------|-------------|------------|
| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager. <br> Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures). <br> If youre using the public Microsoft update servers, check that your device can access the following Windows Update endpoints: <br> `http://windowsupdate.microsoft.com` <br> https://*.windowsupdate.microsoft.com <br> https://*.windowsupdate.microsoft.com <br> https://*.update.microsoft.com <br> https://*.update.microsoft.com <br> https://*.windowsupdate.com <br> https://download.windowsupdate.com <br> https://download.microsoft.com <br> https://*.download.windowsupdate.com <br> https://wustat.windows.com <br> https://ntservicepack.microsoft.com | | WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager. <br> Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures). <br> If youre using the public Microsoft update servers, check that your device can access the following Windows Update endpoints: <br> `http://windowsupdate.microsoft.com` <br> https://.windowsupdate.microsoft.com <br> https://update.microsoft.com <br> https://*.update.microsoft.com <br> https://windowsupdate.com <br> https://*.windowsupdate.com <br> https://download.windowsupdate.com <br> https://*.download.windowsupdate.com <br> https://download.microsoft.com <br> https://*.download.windowsupdate.com <br> https://wustat.windows.com <br> https://*.wustat.windows.com <br> https://ntservicepack.microsoft.com |
## 0x80240022 ## 0x80240022

78
windows/deployment/update/wufb-wsus.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Use Windows Update for Business (WUfB) and Windows Server Update Services (WSUS) together
description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
ms.prod: w10
ms.mktglfcycl: manage
author: arcarley
ms.localizationpriority: medium
audience: itpro
ms.author: arcarley
ms.collection:
- m365initiative-coredeploy
- highpri
manager: dougeby
ms.topic: article
---
# Use Windows Update for Business and WSUS together
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business (WUfB) service.
We added the scan source policy starting with the [September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview](https://support.microsoft.com/help/5005101) update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service.
> [!IMPORTANT]
> The policy **Do not allow update deferral policies to cause scans against Windows Update**, also known as Dual Scan, is no longer supported on Windows 11 and on Windows 10 it is replaced by the new Windows scan source policy and is not recommended for use. If you configure both on Windows 10, you will not get updates from Windows Update.
## About the scan source policy
The specify scan source policy enables you to specify whether your device gets the following Windows update types form WSUS **or** from Windows Update:
- Feature updates
- Windows quality updates
- Driver and firmware updates
- Updates for other Microsoft products
We recommend using this policy on your transition from fully on-premises managed environment to a cloud supported one. Whether you move only drivers to the cloud today or drivers and quality updates and then later move your other workloads, taking a step-by-step approach might ease the transition.
## Default scan behavior
To help you better understand the scan source policy, see the default scan behavior below and how we can change it:
- If no policies are configured: All of your updates will come from Windows Update.
- If you configure only the WSUS server policy:
- On Windows 10: All of your updates will come from WSUS.
- On Windows 11: All of your updates will still come from Windows Update unless you configure the specify scan source policy.
- If you configure a WSUS server and deferral policies: All of your updates will come from Windows Update unless you specify the scan source policy.
- If you configure a WSUS server and the scan source policy: All of your updates will come from the source chosen in the scan source policy.
> [!TIP]
> The only two relevant policies for where your updates come from are the specify scan source policy and whether or not you have configured a WSUS server. This should simplify the configuration options.
## Configure the scan sources
The policy can be configured using the following two methods:
1. Group Policy: Specify source service for specific classes of Windows Updates
- Path: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\
:::image type="content" source="media/specify-update-type-sources.png" alt-text="Screenshot of the Group Policy for specifiying sources for update types":::
2. Configuration Service Provider (CSP) Policies: **SetPolicyDrivenUpdateSourceFor&lt;Update Type>**:
> [!NOTE]
> You should configure **all** of these policies if you are using CSPs.
- [Update/SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourcefordriver)
- [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature)
- [Update/SetPolicyDrivenUpdateSourceForOtherUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforother)
- [Update/SetPolicyDrivenUpdateSourceForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforquality)

4
windows/deployment/upgrade/resolution-procedures.md
View File

@ -45,7 +45,7 @@ See the following general troubleshooting procedures associated with a result co
| :--- | :--- | :--- | | :--- | :--- | :--- |
| 0xC1900101 - 0x20004 | Uninstall antivirus applications.<br>Remove all unused SATA devices. <br>Remove all unused devices and drivers. <br>Update drivers and BIOS. | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation. <br>This is generally caused by out-of-date drivers. | | 0xC1900101 - 0x20004 | Uninstall antivirus applications.<br>Remove all unused SATA devices. <br>Remove all unused devices and drivers. <br>Update drivers and BIOS. | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation. <br>This is generally caused by out-of-date drivers. |
| 0xC1900101 - 0x2000c | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br> Contact your hardware vendor to obtain updated device drivers.<br> Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.<br> This is generally caused by out-of-date drivers | | 0xC1900101 - 0x2000c | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br> Contact your hardware vendor to obtain updated device drivers.<br> Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.<br> This is generally caused by out-of-date drivers |
| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.<br>Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.<br>For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).<br>Update or uninstall the problem drivers. | A driver has caused an illegal operation.<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.<br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. | | 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.<br>Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.<br>For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).<br>Update or uninstall the problem drivers. | A driver has caused an illegal operation.<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.<br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.<br>This can also be caused by a hardware failure. |
| 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Contact your hardware vendor to obtain updated device drivers.<br>Ensure that &quot;Download and install updates (recommended)&quot; is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. | | 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Contact your hardware vendor to obtain updated device drivers.<br>Ensure that &quot;Download and install updates (recommended)&quot; is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. |
| 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.<br>This can occur due to a problem with a display driver. | | 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.<br>This can occur due to a problem with a display driver. |
| 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.<br>Review the rollback log and determine the stop code.<br>The rollback log is located in the <strong>$Windows.~BT\Sources\Rollback</strong> folder. An example analysis is shown below. This example is not representative of all cases:<br>&nbsp;<br>Info SP Crash 0x0000007E detected<br>Info SP Module name :<br>Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005<br>Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A<br>Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728<br>Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40<br>Info SP Cannot recover the system.<br>Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.<br>&nbsp;<br>Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>&nbsp;<br>1. Make sure you have enough disk space.<br>2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<br>3. Try changing video adapters.<br>4. Check with your hardware vendor for any BIOS updates.<br>5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.<br>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.<br>This can occur because of incompatible drivers. | | 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.<br>Review the rollback log and determine the stop code.<br>The rollback log is located in the <strong>$Windows.~BT\Sources\Rollback</strong> folder. An example analysis is shown below. This example is not representative of all cases:<br>&nbsp;<br>Info SP Crash 0x0000007E detected<br>Info SP Module name :<br>Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005<br>Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A<br>Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728<br>Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40<br>Info SP Cannot recover the system.<br>Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.<br>&nbsp;<br>Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>&nbsp;<br>1. Make sure you have enough disk space.<br>2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<br>3. Try changing video adapters.<br>4. Check with your hardware vendor for any BIOS updates.<br>5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.<br>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.<br>This can occur because of incompatible drivers. |
@ -93,7 +93,7 @@ See the following general troubleshooting procedures associated with a result co
| Error Codes | Cause | Mitigation | | Error Codes | Cause | Mitigation |
| --- | --- | --- | | --- | --- | --- |
|0x80070003- 0x20007|This is a failure during SafeOS phase driver installation.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.| |0x80070003- 0x20007|This is a failure during SafeOS phase driver installation.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
|0x8007025D - 0x2000C|This error occurs if the ISO file&#39;s metadata is corrupt.|Re-download the ISO/Media and re-attempt the upgrade<p>Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).| |0x8007025D - 0x2000C|This error occurs if the ISO file&#39;s metadata is corrupt or if there is an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Re-download the ISO/Media and re-attempt the upgrade<p>Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
|0x80070490 - 0x20007|An incompatible device driver is present.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.| |0x80070490 - 0x20007|An incompatible device driver is present.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
|0xC1900101 - 0x2000c|An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.|Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide.<br>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.| |0xC1900101 - 0x2000c|An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.|Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide.<br>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.|
|0xC1900200 - 0x20008|The computer doesnt meet the minimum requirements to download or upgrade to Windows 10.|See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) and verify the computer meets minimum requirements.<p>Review logs for [compatibility information](/archive/blogs/askcore/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues).| |0xC1900200 - 0x20008|The computer doesnt meet the minimum requirements to download or upgrade to Windows 10.|See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) and verify the computer meets minimum requirements.<p>Review logs for [compatibility information](/archive/blogs/askcore/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues).|

2
windows/deployment/vda-subscription-activation.md
View File

@ -153,4 +153,4 @@ To create custom RDP settings for Azure:
[Windows 10/11 Subscription Activation](windows-10-subscription-activation.md) [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
<BR>[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) <BR>[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
<BR>[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) <BR>[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)

289
windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
View File

@ -1,142 +1,147 @@
--- ---
title: Activate using Active Directory-based activation (Windows 10) title: Activate using Active Directory-based activation (Windows 10)
description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects. description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
ms.custom: seo-marvel-apr2020 ms.custom: seo-marvel-apr2020
ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
manager: dougeby manager: dougeby
ms.author: greglin ms.author: greglin
keywords: vamt, volume activation, activation, windows activation keywords: vamt, volume activation, activation, windows activation
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: activation ms.pagetype: activation
audience: itpro audience: itpro
author: greg-lindsay author: greg-lindsay
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 07/27/2017 ms.date: 01/13/2022
ms.topic: article ms.topic: article
ms.collection: highpri ms.collection: highpri
--- ---
# Activate using Active Directory-based activation # Activate using Active Directory-based activation
> Applies to **Applies to**
>
>- Windows 10 Windows 11
>- Windows 8.1 Windows 10
>- Windows 8 Windows 8.1
>- Windows Server 2012 R2 Windows 8
>- Windows Server 2012 Windows Server 2012 R2
>- Windows Server 2016 Windows Server 2012
>- Windows Server 2019 Windows Server 2016
>- Office 2013* Windows Server 2019
>- Office 2016* Office 2021*
>- Office 2019* Office 2019*
Office 2016*
**Looking for retail activation?** Office 2013*
- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1) **Looking for retail activation?**
- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate)
- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1)
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients. - [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate)
Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
The process proceeds as follows: To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
1. Perform one of the following tasks: The process proceeds as follows:
- Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT. 1. Perform one of the following tasks:
- Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
2. Microsoft verifies the KMS host key, and an activation object is created. - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
3. Client computers are activated by receiving the activation object from a domain controller during startup. 2. Microsoft verifies the KMS host key, and an activation object is created.
> [!div class="mx-imgBorder"] 3. Client computers are activated by receiving the activation object from a domain controller during startup.
> ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg)
> [!div class="mx-imgBorder"]
**Figure 10**. The Active Directory-based activation flow > ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg)
For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. **Figure 10**. The Active Directory-based activation flow
If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days. If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
## Step-by-step configuration: Active Directory-based activation When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
> [!NOTE] ## Step-by-step configuration: Active Directory-based activation
> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
> [!NOTE]
**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:** > You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. **To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
2. Launch Server Manager. 1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
3. Add the Volume Activation Services role, as shown in Figure 11. 2. Launch Server Manager.
![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg) 3. Add the Volume Activation Services role, as shown in Figure 11.
**Figure 11**. Adding the Volume Activation Services role ![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg)
4. Click the link to launch the Volume Activation Tools (Figure 12). **Figure 11**. Adding the Volume Activation Services role
![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg) 4. Click the link to launch the Volume Activation Tools (Figure 12).
**Figure 12**. Launching the Volume Activation Tools ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg)
5. Select the **Active Directory-Based Activation** option (Figure 13). **Figure 12**. Launching the Volume Activation Tools
![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg) 5. Select the **Active Directory-Based Activation** option (Figure 13).
**Figure 13**. Selecting Active Directory-Based Activation ![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg)
6. Enter your KMS host key and (optionally) a display name (Figure 14). **Figure 13**. Selecting Active Directory-Based Activation
![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg) 6. Enter your KMS host key and (optionally) a display name (Figure 14).
**Figure 14**. Entering your KMS host key ![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg)
7. Activate your KMS host key by phone or online (Figure 15). **Figure 14**. Entering your KMS host key
![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg) 7. Activate your KMS host key by phone or online (Figure 15).
**Figure 15**. Choosing how to activate your product ![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg)
> [!NOTE] **Figure 15**. Choosing how to activate your product
> To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
> > [!NOTE]
> > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory).
> - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
> >
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164) >
> > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) >
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
8. After activating the key, click **Commit**, and then click **Close**. >
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
## Verifying the configuration of Active Directory-based activation >
> - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446)
To verify your Active Directory-based activation configuration, complete the following steps:
8. After activating the key, click **Commit**, and then click **Close**.
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. ## Verifying the configuration of Active Directory-based activation
3. If the computer is not joined to your domain, join it to the domain.
4. Sign in to the computer. To verify your Active Directory-based activation configuration, complete the following steps:
5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
6. Scroll down to the **Windows activation** section, and verify that this client has been activated. 1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
> [!NOTE] 3. If the computer is not joined to your domain, join it to the domain.
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. 4. Sign in to the computer.
> 5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md). 6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
> [!NOTE]
## See also > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
>
- [Volume Activation for Windows 10](volume-activation-windows-10.md) > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md).
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

20
windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
View File

@ -162,7 +162,7 @@ After you download this file, the name will be extremely long (ex: 19042.508.200
The **Get-NetAdaper** cmdlet is used to automatically find the network adapter that's most likely to be the one you use to connect to the internet. You should test this command first by running the following at an elevated Windows PowerShell prompt: The **Get-NetAdaper** cmdlet is used to automatically find the network adapter that's most likely to be the one you use to connect to the internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
```powershell ```powershell
(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
``` ```
The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name. The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
@ -178,10 +178,10 @@ All VM data will be created under the current path in your PowerShell prompt. Co
> >
>- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal." >- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
>- If you have never created an external VM switch before, then just run the commands below. >- If you have never created an external VM switch before, then just run the commands below.
>- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch). >- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a current list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
```powershell ```powershell
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot Start-VM -VMName WindowsAutopilot
@ -238,7 +238,6 @@ PS C:\autopilot&gt;
Make sure that the VM booted from the installation ISO, select **Next**, select **Install now**, and then complete the Windows installation process. See the following examples: Make sure that the VM booted from the installation ISO, select **Next**, select **Install now**, and then complete the Windows installation process. See the following examples:
![Windows setup example 1](images/winsetup1.png) ![Windows setup example 1](images/winsetup1.png)
![Windows setup example 2](images/winsetup2.png) ![Windows setup example 2](images/winsetup2.png)
@ -251,7 +250,6 @@ Make sure that the VM booted from the installation ISO, select **Next**, select
![Windows setup example 6](images/winsetup6.png) ![Windows setup example 6](images/winsetup6.png)
After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This offers the fastest way to the desktop. For example: After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This offers the fastest way to the desktop. For example:
![Windows setup example 7.](images/winsetup7.png) ![Windows setup example 7.](images/winsetup7.png)
@ -279,12 +277,12 @@ Follow these steps to run the PowerShell script:
1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same whether you're using a VM or a physical device: 1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same whether you're using a VM or a physical device:
```powershell ```powershell
md c:\HWID New-Item -Type Directory -Path "C:\HWID"
Set-Location c:\HWID Set-Location C:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo -Force Install-Script -Name Get-WindowsAutopilotInfo -Force
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
``` ```
1. When you're prompted to install the NuGet package, choose **Yes**. 1. When you're prompted to install the NuGet package, choose **Yes**.
@ -349,7 +347,7 @@ Follow these steps to run the PowerShell script:
With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**. On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
Select **Remove everything** and **Just remove my files**. If you're asked **How would you like to reinstall Windows**, select Local reinstall. Finally, select **Reset**. Select **Remove everything**, then, on **How would you like to reinstall Windows**, select **Local reinstall**. Finally, select **Reset**.
![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg) ![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg)
@ -616,7 +614,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n
### Delete (deregister) Autopilot device ### Delete (deregister) Autopilot device
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> ![Delete device step 1.](images/delete-device1.png) > ![Delete device step 1.](images/delete-device1.png)

92
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -1218,7 +1218,7 @@ The following fields are available:
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. - **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. - **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. - **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
- **RunResult** The hresult of the Appraiser diagnostic data run. - **RunResult** The hresult of the Appraiser diagnostic data run.
- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. - **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
- **StoreHandleIsNotNull** Obsolete, always set to false - **StoreHandleIsNotNull** Obsolete, always set to false
@ -1289,10 +1289,10 @@ This event sends type and capacity data about the battery on the device, as well
The following fields are available: The following fields are available:
- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. - **InternalBatteryCapablities** Represents information about what the battery is capable of doing.
- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. - **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear.
- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. - **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh.
- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. - **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. - **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected. Boolean value.
### Census.Enterprise ### Census.Enterprise
@ -1304,10 +1304,10 @@ The following fields are available:
- **AzureOSIDPresent** Represents the field used to identify an Azure machine. - **AzureOSIDPresent** Represents the field used to identify an Azure machine.
- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. - **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **CDJType** Represents the type of cloud domain joined for the machine. - **CDJType** Represents the type of cloud domain joined for the machine.
- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. - **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
- **ContainerType** The type of container, such as process or virtual machine hosted. - **ContainerType** The type of container, such as process or virtual machine hosted.
- **HashedDomain** The hashed representation of the user domain used for login. - **HashedDomain** The hashed representation of the user domain used for login.
- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false - **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (Azure AD) tenant? true/false
- **IsDERequirementMet** Represents if the device can do device encryption. - **IsDERequirementMet** Represents if the device can do device encryption.
- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption - **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
- **IsDomainJoined** Indicates whether a machine is joined to a domain. - **IsDomainJoined** Indicates whether a machine is joined to a domain.
@ -1315,7 +1315,7 @@ The following fields are available:
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment. - **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment.
- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier. - **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier.
@ -1437,7 +1437,7 @@ The following fields are available:
- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
- **OSEdition** Retrieves the version of the current OS. - **OSEdition** Retrieves the version of the current OS.
- **OSInstallDateTime** Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd - **OSInstallDateTime** Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc - **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc.
- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). - **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
- **OSSKU** Retrieves the Friendly Name of OS Edition. - **OSSKU** Retrieves the Friendly Name of OS Edition.
- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
@ -1491,7 +1491,7 @@ The following fields are available:
- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. - **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). - **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. - **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities. - **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. - **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. - **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
@ -1823,7 +1823,7 @@ The following fields are available:
- **creativeId** A serialized string containing the ID of the offer being rendered, the ID of the current rotation period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch, the rotation period length, and the expiration timestamp. - **creativeId** A serialized string containing the ID of the offer being rendered, the ID of the current rotation period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch, the rotation period length, and the expiration timestamp.
- **eventToken** In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds to. - **eventToken** In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds to.
- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc.. - **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc.
- **placementId** Name of surface, such as LockScreen or Start. - **placementId** Name of surface, such as LockScreen or Start.
@ -2139,7 +2139,7 @@ This event sends data about hangs for both native and managed applications, to h
The following fields are available: The following fields are available:
- **AppName** The name of the app that has hung. - **AppName** The name of the app that has hung.
- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. - **AppSessionGuid** GUID made up of process ID used as a correlation vector for process instances in the telemetry backend.
- **AppVersion** The version of the app that has hung. - **AppVersion** The version of the app that has hung.
- **PackageFullName** Store application identity. - **PackageFullName** Store application identity.
- **PackageRelativeAppId** Store application identity. - **PackageRelativeAppId** Store application identity.
@ -2154,7 +2154,7 @@ The following fields are available:
- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. - **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. - **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. - **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. - **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative applicationIDof the package.
## Inventory events ## Inventory events
@ -2845,8 +2845,8 @@ The following fields are available:
- **BatteryCapacity** Maximum battery capacity in mWh - **BatteryCapacity** Maximum battery capacity in mWh
- **BatteryCharge** Current battery charge as a percentage of total capacity - **BatteryCharge** Current battery charge as a percentage of total capacity
- **BatteryDischarging** Flag indicating whether the battery is discharging or charging - **BatteryDischarging** Flag indicating whether the battery is discharging or charging
- **BootId** Monotonically increasing boot id, reset on upgrades. - **BootId** Monotonically increasing boot ID, reset on upgrades.
- **BootTimeUTC** Boot time in UTC  file time. - **BootTimeUTC** Boot time in UTC file time.
- **EventSequence** Monotonically increasing event number for OsStateChange events logged during this boot. - **EventSequence** Monotonically increasing event number for OsStateChange events logged during this boot.
- **LastStateTransition** The previous state transition on the device. - **LastStateTransition** The previous state transition on the device.
- **LastStateTransitionSub** The previous state subtransition on the device. - **LastStateTransitionSub** The previous state subtransition on the device.
@ -3238,7 +3238,7 @@ The following fields are available:
- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. - **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes.
- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - **Result** The HRESULT for Detection or Perform Action phases of the plug-in.
- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in.
- **ServiceHealthPlugin** The nae of the Service Health plug-in. - **ServiceHealthPlugin** The name of the Service Health plug-in.
- **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully.
- **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes.
- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. - **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes.
@ -3882,7 +3882,7 @@ This event sends basic metadata about the SetupPlatform update installation proc
The following fields are available: The following fields are available:
- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event - **ActivityId** Provides a uniqueIDto correlate events that occur between a activity start event, and a stop event
- **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.) - **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
@ -3924,7 +3924,7 @@ Activity for deletion of a user account for devices set up for Shared PC mode as
The following fields are available: The following fields are available:
- **accountType** The type of account that was deleted. Example: AD, AAD, or Local - **accountType** The type of account that was deleted. Example: AD, Azure AD, or Local
- **userSid** The security identifier of the account. - **userSid** The security identifier of the account.
- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity). - **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity).
@ -4043,7 +4043,7 @@ The following fields are available:
- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
- **DriverSyncPassPerformed** Were drivers scanned this time? - **DriverSyncPassPerformed** Were drivers scanned this time?
- **EventInstanceID** A globally unique identifier for event instance. - **EventInstanceID** A globally unique identifier for event instance.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **ExtendedMetadataCabUrl** Hostname that is used to download an update. - **ExtendedMetadataCabUrl** Hostname that is used to download an update.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. - **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
@ -4114,7 +4114,7 @@ The following fields are available:
- **EventInstanceID** A globally unique identifier for event instance. - **EventInstanceID** A globally unique identifier for event instance.
- **EventScenario** State of call - **EventScenario** State of call
- **EventType** Possible values are "Child", "Bundle", or "Driver". - **EventType** Possible values are "Child", "Bundle", or "Driver".
- **FlightId** The specific id of the flight the device is getting - **FlightId** The specificIDof the flight the device is getting
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
- **RevisionNumber** Unique revision number of Update - **RevisionNumber** Unique revision number of Update
- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. - **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
@ -4160,13 +4160,13 @@ The following fields are available:
- **Edition** Identifies the edition of Windows currently running on the device. - **Edition** Identifies the edition of Windows currently running on the device.
- **EventInstanceID** A globally unique identifier for event instance. - **EventInstanceID** A globally unique identifier for event instance.
- **EventNamespaceID** The ID of the test events environment. - **EventNamespaceID** The ID of the test events environment.
- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. - **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was canceled, succeeded, or failed.
- **EventType** Identifies the type of the event (Child, Bundle, or Driver). - **EventType** Identifies the type of the event (Child, Bundle, or Driver).
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
- **FlightId** The specific id of the flight (pre-release build) the device is getting. - **FlightId** The specificIDof the flight (pre-release build) the device is getting.
- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
@ -4188,7 +4188,7 @@ The following fields are available:
- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector.
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
- **RevisionNumber** The revision number of the specified piece of content. - **RevisionNumber** The revision number of the specified piece of content.
- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
@ -4217,8 +4217,8 @@ The following fields are available:
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
- **ClientVersion** The version number of the software distribution client - **ClientVersion** The version number of the software distribution client
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed
- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" - **EventType** Possible values are "Child", "Bundle", "Release" or "Driver"
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
- **FileId** A hash that uniquely identifies a file - **FileId** A hash that uniquely identifies a file
- **FileName** Name of the downloaded file - **FileName** Name of the downloaded file
@ -4247,10 +4247,10 @@ The following fields are available:
- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" - **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered"
- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any - **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any - **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) - **PowerState** Indicates the power state of the device at the time of heartbeat (DC, AC, Battery Saver, or Connected Standby)
- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
- **ResumeCount** Number of times this active download has resumed from a suspended state - **ResumeCount** Number of times this active download has resumed from a suspended state
- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.)
- **SuspendCount** Number of times this active download has entered a suspended state - **SuspendCount** Number of times this active download has entered a suspended state
- **SuspendReason** Last reason for why this active download entered a suspended state - **SuspendReason** Last reason for why this active download entered a suspended state
@ -4285,8 +4285,8 @@ The following fields are available:
- **DriverPingBack** Contains information about the previous driver and system state. - **DriverPingBack** Contains information about the previous driver and system state.
- **Edition** Indicates the edition of Windows being used. - **Edition** Indicates the edition of Windows being used.
- **EventInstanceID** A globally unique identifier for event instance. - **EventInstanceID** A globally unique identifier for event instance.
- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc. - **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Canceled, Failed, etc.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver. - **EventType** Possible values are Child, Bundle, or Driver.
- **ExtendedErrorCode** The extended error code. - **ExtendedErrorCode** The extended error code.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
@ -4342,7 +4342,7 @@ This event sends data about the ability of Windows to discover the location of a
The following fields are available: The following fields are available:
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed
- **HResult** Indicates the result code of the event (success, cancellation, failure code HResult) - **HResult** Indicates the result code of the event (success, cancellation, failure code HResult)
- **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background - **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background
- **NextExpirationTime** Indicates when the SLS cab expires - **NextExpirationTime** Indicates when the SLS cab expires
@ -4536,7 +4536,7 @@ The following fields are available:
- **FlightMetadata** Contains the FlightId and the build being flighted. - **FlightMetadata** Contains the FlightId and the build being flighted.
- **ObjectId** Unique value for each Update Agent mode. - **ObjectId** Unique value for each Update Agent mode.
- **RelatedCV** Correlation vector value generated from the latest USO scan. - **RelatedCV** Correlation vector value generated from the latest USO scan.
- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled - **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCanceled
- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate - **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). - **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **SessionId** Unique value for each Update Agent mode attempt . - **SessionId** Unique value for each Update Agent mode attempt .
@ -4553,7 +4553,7 @@ The following fields are available:
- **FlightId** Unique ID for each flight. - **FlightId** Unique ID for each flight.
- **ObjectId** Unique value for each Update Agent mode. - **ObjectId** Unique value for each Update Agent mode.
- **RelatedCV** Correlation vector value generated from the latest scan. - **RelatedCV** Correlation vector value generated from the latest scan.
- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled - **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCanceled
- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate - **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
- **SessionId** Unique value for each Update Agent mode attempt. - **SessionId** Unique value for each Update Agent mode attempt.
- **UpdateId** Unique ID for each update. - **UpdateId** Unique ID for each update.
@ -4819,7 +4819,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). - **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). - **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). - **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. - **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** An ID that uniquely identifies a group of events. - **TestId** An ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. - **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
@ -4840,7 +4840,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events. - **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@ -4861,7 +4861,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events. - **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID. - **WuId** Windows Update client ID.
@ -4882,7 +4882,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. - **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
- **TestId** A string to uniquely identify a group of events. - **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
@ -4924,7 +4924,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). - **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. - **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events. - **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID. - **WuId** Windows Update client ID.
@ -4945,7 +4945,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). - **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events. - **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@ -4966,7 +4966,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. - **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events. - **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID. - **WuId** Windows Update client ID.
@ -5026,7 +5026,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events. - **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@ -5035,7 +5035,7 @@ The following fields are available:
### Microsoft.Windows.WERVertical.OSCrash ### Microsoft.Windows.WERVertical.OSCrash
This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
The following fields are available: The following fields are available:
@ -5048,7 +5048,7 @@ The following fields are available:
- **DumpFileAttributes** Codes that identify the type of data contained in the dump file - **DumpFileAttributes** Codes that identify the type of data contained in the dump file
- **DumpFileSize** Size of the dump file - **DumpFileSize** Size of the dump file
- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise - **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). - **ReportId** WER Report ID associated with this bug check (used for finding the corresponding report archive in Watson).
### WerTraceloggingProvider.AppCrashEvent ### WerTraceloggingProvider.AppCrashEvent
@ -5076,7 +5076,7 @@ The following fields are available:
- **TargetAppId** The target app ID. - **TargetAppId** The target app ID.
- **TargetAppVer** The target app version. - **TargetAppVer** The target app version.
<!-- 01.06.2022 mandia: Commenting out, as these events are specific to Windows Phone.
## Windows Phone events ## Windows Phone events
### Microsoft.Windows.Phone.Telemetry.OnBoot.RebootReason ### Microsoft.Windows.Phone.Telemetry.OnBoot.RebootReason
@ -5088,7 +5088,7 @@ The following fields are available:
- **BootId** The system boot ID. - **BootId** The system boot ID.
- **BoottimeSinceLastShutdown** The boot time since the last shutdown. - **BoottimeSinceLastShutdown** The boot time since the last shutdown.
- **RebootReason** Reason for the reboot. - **RebootReason** Reason for the reboot.
-->
## Windows Store events ## Windows Store events
@ -5491,7 +5491,7 @@ The following fields are available:
- **CatalogId** The Store Catalog ID for the product being installed. - **CatalogId** The Store Catalog ID for the product being installed.
- **ProductId** The Store Product ID for the product being installed. - **ProductId** The Store Product ID for the product being installed.
- **SkuId** Specfic edition of the app being updated. - **SkuId** Specific edition of the app being updated.
### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest ### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
@ -5505,7 +5505,7 @@ The following fields are available:
## Windows Update Delivery Optimization events ## Windows Update Delivery Optimization events
### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled ### Microsoft.OSG.DU.DeliveryOptClient.Downloadcanceled
This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
@ -5871,7 +5871,7 @@ The following fields are available:
- **detectionBlockreason** The reason detection did not complete. - **detectionBlockreason** The reason detection did not complete.
- **detectionDeferreason** A log of deferral reasons for every update state. - **detectionDeferreason** A log of deferral reasons for every update state.
- **errorCode** The error code returned for the current process. - **errorCode** The error code returned for the current process.
- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. - **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
- **interactive** Indicates whether the user initiated the session. - **interactive** Indicates whether the user initiated the session.
- **revisionNumber** The Update revision number. - **revisionNumber** The Update revision number.
@ -5938,7 +5938,7 @@ The following fields are available:
- **batteryLevel** Current battery capacity in mWh or percentage left. - **batteryLevel** Current battery capacity in mWh or percentage left.
- **deferReason** Reason for install not completing. - **deferReason** Reason for install not completing.
- **errorCode** The error code reppresented by a hexadecimal value. - **errorCode** The error code represented by a hexadecimal value.
- **eventScenario** End-to-end update session ID. - **eventScenario** End-to-end update session ID.
- **flightID** The ID of the Windows Insider build the device is getting. - **flightID** The ID of the Windows Insider build the device is getting.
- **flightUpdate** Indicates whether the update is a Windows Insider build. - **flightUpdate** Indicates whether the update is a Windows Insider build.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -69,7 +69,7 @@ Key trust deployments do not need client issued certificates for on-premises aut
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](/troubleshoot/windows-server/windows-security/requirements-domain-controller). The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](/troubleshoot/windows-server/windows-security/requirements-domain-controller).
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder. * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder.
* The certificate Subject section should contain the directory path of the server object (the distinguished name). * Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment. * The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
@ -167,4 +167,4 @@ For federated and non-federated environments, start with **Configure Windows Hel
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) 7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)

12
windows/security/identity-protection/index.md
View File

@ -1,6 +1,6 @@
--- ---
title: Identity and access management (Windows 10) title: Identity and access management (Windows 10)
description: Learn more about identity and access protection technologies in Windows 10 and Windows 10 Mobile. description: Learn more about identity and access protection technologies in Windows.
ms.prod: m365-security ms.prod: m365-security
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
@ -17,18 +17,18 @@ ms.date: 02/05/2018
# Identity and access management # Identity and access management
Learn more about identity and access management technologies in Windows 10 and Windows 10 Mobile. Learn more about identity and access management technologies in Windows 10.
| Section | Description | | Section | Description |
|-|-| |-|-|
| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. | | [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. | | [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. | | [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | | [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. | | [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
| [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.| | [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. | | [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. | | [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | | [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on client devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. | | [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |

76
windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
View File

@ -1,76 +0,0 @@
---
title: Install digital certificates on Windows 10 Mobile (Windows 10)
description: Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information.
ms.assetid: FF7B1BE9-41F4-44B0-A442-249B650CEE25
ms.reviewer:
keywords: S/MIME, PFX, SCEP
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Install digital certificates on Windows 10 Mobile
**Applies to**
- Windows 10 Mobile
Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services.
Certificates in Windows 10 Mobile are primarily used for the following purposes:
- To create a secure channel using Secure Sockets Layer (SSL) between a phone and a web server or service.
- To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.
- For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).
>[!WARNING]
>In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
## Install certificates using Microsoft Edge
A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device.
## Install certificates using email
The Windows 10 Mobile certificate installer supports .cer, .p7b, .pem, and .pfx files. Some email programs block .cer files for security reasons. If this is the case in your organization, use an alternative method to deploy the certificate. Certificates that are sent via email appear as message attachments. When a certificate is received, a user can tap to review the contents and then tap to install the certificate. Typically, when an identity certificate is installed, the user is prompted for the password (or passphrase) that protects it.
## Install certificates using mobile device management (MDM)
Windows 10 Mobile supports root, CA, and client certificate to be configured via MDM. Using MDM, an administrator can directly add, delete, or query root and CA certificates, and configure the device to enroll a client certificate with a certificate enrollment server that supports Simple Certificate Enrollment Protocol (SCEP). SCEP enrolled client certificates are used by Wi-Fi, VPN, email, and browser for certificate-based client authentication. An MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
>[!WARNING]
>Do not use SCEP for encryption certificates for S/MIME. You must use a PFX certificate profile to support S/MIME on Windows 10 Mobile. For instructions on creating a PFX certificate profile in Microsoft Intune, see [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=718216).
**Process of installing certificates using MDM**
1. The MDM server generates the initial cert enroll request including challenge password, SCEP server URL, and other enrollment related parameters.
2. The policy is converted to the OMA DM request and sent to the device.
3. The trusted CA certificate is installed directly during MDM request.
4. The device accepts certificate enrollment request.
5. The device generates private/public key pair.
6. The device connects to Internet-facing point exposed by MDM server.
7. MDM server creates a certificate that is signed with proper CA certificate and returns it to device.
>[!NOTE]
>The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either:
>
>- A certificate is successfully received from the server
>- The server returns an error
>- The number of retries reaches the preconfigured limit
8. The cert is installed in the device. Browser, Wi-Fi, VPN, email, and other first party applications have access to this certificate.
>[!NOTE]
>If MDM requested private key stored in Trusted Process Module (TPM) (configured during enrollment request), the private key will be saved in TPM. Note that SCEP enrolled cert protected by TPM isnt guarded by a PIN. However, if the certificate is imported to the Windows Hello for Business Key Storage Provider (KSP), it is guarded by the Hello PIN.
## Related topics
[Configure S/MIME](configure-s-mime.md)

2
windows/security/identity-protection/vpn/vpn-connection-type.md
View File

@ -56,7 +56,7 @@ There are many options for VPN clients. In Windows 10 and Windows 11, the built-
## Universal Windows Platform VPN plug-in ## Universal Windows Platform VPN plug-in
The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers. The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there was originally separate version available for the Windows 8.1 PC platform. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution. There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.

84
windows/security/identity-protection/vpn/vpn-profile-options.md
View File

@ -17,8 +17,9 @@ ms.date: 05/17/2018
# VPN profile options # VPN profile options
**Applies to** **Applies to**
- Windows 10
- Windows 11 - Windows 10
- Windows 11
Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
@ -29,32 +30,32 @@ The following table lists the VPN settings and whether the setting can be config
| Profile setting | Can be configured in Intune and Configuration Manager | | Profile setting | Can be configured in Intune and Configuration Manager |
| --- | --- | | --- | --- |
| Connection type | yes | | Connection type | Yes |
| Routing: split-tunnel routes | yes, except exclusion routes | | Routing: split-tunnel routes | Yes, except exclusion routes |
| Routing: forced-tunnel | yes | | Routing: forced-tunnel | Yes |
| Authentication (EAP) | yes, if connection type is built-in | | Authentication (EAP) | Yes, if connection type is built in |
| Conditional access | yes | | Conditional access | Yes |
| Name resolution: NRPT | yes | | Name resolution: NRPT | Yes |
| Name resolution: DNS suffix | no | | Name resolution: DNS suffix | No |
| Name resolution: persistent | no | | Name resolution: persistent | No |
| Auto-trigger: app trigger | yes | | Auto-trigger: app trigger | Yes |
| Auto-trigger: name trigger | yes | | Auto-trigger: name trigger | Yes |
| Auto-trigger: Always On | yes | | Auto-trigger: Always On | Yes |
| Auto-trigger: trusted network detection | no | | Auto-trigger: trusted network detection | No |
| LockDown | no | | LockDown | No |
| Windows Information Protection (WIP) | yes | | Windows Information Protection (WIP) | Yes |
| Traffic filters | yes | | Traffic filters | Yes |
| Proxy settings | yes, by PAC/WPAD file or server and port | | Proxy settings | Yes, by PAC/WPAD file or server and port |
> [!NOTE] > [!NOTE]
> VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used. > VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used.
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) topic. The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that are not yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article.
## Sample Native VPN profile ## Sample Native VPN profile
The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.
```xml ```xml
<VPNProfile> <VPNProfile>
@ -220,7 +221,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro
## Sample plug-in VPN profile ## Sample plug-in VPN profile
The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
```xml ```xml
<VPNProfile> <VPNProfile>
@ -298,36 +299,31 @@ The following is a sample plug-in VPN profile. This blob would fall under the Pr
## Apply ProfileXML using Intune ## Apply ProfileXML using Intune
After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 or Windows 11 Desktop and Mobile and later)** policy. After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices.
1. Sign into the [Azure portal](https://portal.azure.com). 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
2. Go to **Intune** > **Device Configuration** > **Profiles**. - **Platform**: Select **Windows 10 and later**
- **Profile**: Select **Templates** > **Custom**.
3. Click **Create Profile**. 4. Select **Create**.
5. In **Basics**, enter the following properties:
4. Enter a name and (optionally) a description. - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
5. Choose **Windows 10 and later** as the platform. 6. Select **Next**.
7. In **Configuration settings**, enter the following properties:
6. Choose **Custom** as the profile type and click **Add**. - **OMA-URI**: Enter `./user/vendor/MSFT/VPNv2/Your_VPN profile name_/ProfileXML`.
- **Data type**: Select `String (XML file)`.
- **Value**: Browse to, and select your XML file.
8. Enter a name and (optionally) a description. For more information on these settings, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**.
10. Set Data type to **String (XML file)**.
11. Upload the profile XML file.
12. Click **OK**.
![Custom VPN profile.](images/custom-vpn-profile.png)
13. Click **OK**, then **Create**.
14. Assign the profile.
8. Select **Next**, and continue configuring the policy. For the specific steps and recommendations, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
## Learn more ## Learn more
@ -335,7 +331,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
- [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp) - [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp)
- [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10)) - [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10))
## Related topics ## Related articles
- [VPN technical guide](vpn-guide.md) - [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md) - [VPN connection types](vpn-connection-type.md)

2
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -30,7 +30,7 @@ This article depicts the BitLocker deployment comparison chart.
| Requirements |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) | | Requirements |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) |
|---------|---------|---------|---------| |---------|---------|---------|---------|
|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7 and later | |Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows 10 IoT |
|Supported Windows SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | |Supported Windows SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
|Minimum Windows version |1909 | None | None | |Minimum Windows version |1909 | None | None |
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |

250
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -1,6 +1,6 @@
--- ---
title: BitLocker Group Policy settings (Windows 10) title: BitLocker Group Policy settings (Windows 10)
description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af
ms.reviewer: ms.reviewer:
ms.prod: m365-security ms.prod: m365-security
@ -26,17 +26,17 @@ ms.custom: bitlocker
- Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2 - Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2
This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
To control what drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed. To control the drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed.
> [!NOTE] > [!NOTE]
> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md). > A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md).
BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**.
Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance. Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance.
If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive is initially configured to be unlocked with a password and then Group
Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
> [!NOTE] > [!NOTE]
@ -119,14 +119,14 @@ This policy setting allows users on devices that are compliant with Modern Stand
**Reference** **Reference**
The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN. The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN.
This setting enables an exception to the PIN-required policy on secure hardware. This setting enables an exception to the PIN-required policy on secure hardware.
### <a href="" id="bkmk-netunlock"></a>Allow network unlock at startup ### <a href="" id="bkmk-netunlock"></a>Allow network unlock at startup
This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. This policy is used with the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
| | &nbsp; | | | &nbsp; |
|:---|:---| |:---|:---|
@ -136,14 +136,14 @@ This policy is used in addition to the BitLocker Drive Encryption Network Unlock
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.| |**When enabled**|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.|
|**When disabled or not configured**|Clients cannot create and use Network Key Protectors| |**When disabled or not configured**|Clients can't create and use Network Key Protectors|
**Reference** **Reference**
To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock. To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock.
> [!NOTE] > [!NOTE]
> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup. > For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can't connect to the domain controller at startup.
For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
@ -157,7 +157,7 @@ This policy setting is used to control which unlock options are available for op
|**Introduced**|Windows Server 2008 R2 and Windows 7| |**Introduced**|Windows Server 2008 R2 and Windows 7|
|**Drive type**|Operating system drives| |**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|If one authentication method is required, the other methods cannot be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.| |**Conflicts**|If one authentication method is required, the other methods can't be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.|
|**When enabled**|Users can configure advanced startup options in the BitLocker Setup Wizard.| |**When enabled**|Users can configure advanced startup options in the BitLocker Setup Wizard.|
|**When disabled or not configured**|Users can configure only basic options on computers with a TPM. <p> Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.| |**When disabled or not configured**|Users can configure only basic options on computers with a TPM. <p> Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.|
@ -167,10 +167,10 @@ If you want to use BitLocker on a computer without a TPM, select **Allow BitLock
On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use: On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use:
- only the TPM - Only the TPM
- insertion of a USB flash drive containing the startup key - Insertion of a USB flash drive containing the startup key
- the entry of a 4-digit to 20-digit personal identification number (PIN) - The entry of a 4-digit to 20-digit personal identification number (PIN)
- a combination of the PIN and the USB flash drive - A combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices: There are four options for TPM-enabled computers or devices:
@ -206,7 +206,7 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth
|**Drive type**|Operating system drives| |**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.| |**When enabled**|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.|
|**When disabled or not configured**|Enhanced PINs will not be used.| |**When disabled or not configured**|Enhanced PINs will not be used.|
**Reference** **Reference**
@ -214,7 +214,7 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth
Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
> [!IMPORTANT] > [!IMPORTANT]
> Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. > Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
### <a href="" id="bkmk-unlockpol3"></a>Configure minimum PIN length for startup ### <a href="" id="bkmk-unlockpol3"></a>Configure minimum PIN length for startup
@ -222,7 +222,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
| | &nbsp; | | | &nbsp; |
|:---|:---| |:---|:---|
|**Policy description**|With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.| |**Policy description**|With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.|
|**Introduced**|Windows Server 2008 R2 and Windows 7| |**Introduced**|Windows Server 2008 R2 and Windows 7|
|**Drive type**|Operating system drives| |**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
@ -232,7 +232,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
**Reference** **Reference**
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits.
Originally, BitLocker allowed from 4 to 20 characters for a PIN. Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
@ -244,13 +244,13 @@ The Dictionary Attack Prevention Parameters provide a way to balance security ne
For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
This totals a maximum of about 4415 guesses per year. This totals a maximum of about 4415 guesses per year.
If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
Increasing the PIN length requires a greater number of guesses for an attacker. Increasing the PIN length requires a greater number of guesses for an attacker.
In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
Beginning with Windows 10, version 1703, or Windows 11, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Beginning with Windows 10, version 1703, or Windows 11, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello.
To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017, or Windows 11 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017, or Windows 11 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters.
If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### Disable new DMA devices when this computer is locked ### Disable new DMA devices when this computer is locked
@ -282,7 +282,7 @@ This policy setting allows you to configure whether standard users are allowed t
|**Drive type**|Operating system drives| |**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|Standard users are not allowed to change BitLocker PINs or passwords.| |**When enabled**|Standard users aren't allowed to change BitLocker PINs or passwords.|
|**When disabled or not configured**|Standard users are permitted to change BitLocker PINs or passwords.| |**When disabled or not configured**|Standard users are permitted to change BitLocker PINs or passwords.|
**Reference** **Reference**
@ -291,7 +291,7 @@ To change the PIN or password, the user must be able to provide the current PIN
### <a href="" id="bkmk-ospw"></a>Configure use of passwords for operating system drives ### <a href="" id="bkmk-ospw"></a>Configure use of passwords for operating system drives
This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords. This policy controls how non-TPM based systems utilize the password protector. Used with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
| | &nbsp; | | | &nbsp; |
|:---|:---| |:---|:---|
@ -299,9 +299,9 @@ This policy controls how non-TPM based systems utilize the password protector. U
|**Introduced**|Windows Server 2012 and Windows 8| |**Introduced**|Windows Server 2012 and Windows 8|
|**Drive type**|Operating system drives| |**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|Passwords cannot be used if FIPS-compliance is enabled. <p><br/> **NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.| |**Conflicts**|Passwords can't be used if FIPS-compliance is enabled. <p><br/> **NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.|
|**When enabled**|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.| |**When enabled**|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.|
|**When disabled or not configured**|The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.| |**When disabled or not configured**|The default length constraint of eight characters will apply to operating system drive passwords and no complexity checks will occur.|
**Reference** **Reference**
@ -311,7 +311,7 @@ If non-TPM protectors are allowed on operating system drives, you can provision
> These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. > These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation. When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to: When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to:
@ -329,7 +329,7 @@ This policy setting is used to control what unlock options are available for com
|**Introduced**|Windows Server 2008 and Windows Vista| |**Introduced**|Windows Server 2008 and Windows Vista|
|**Drive type**|Operating system drives (Windows Server 2008 and Windows Vista)| |**Drive type**|Operating system drives (Windows Server 2008 and Windows Vista)|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|If you choose to require an additional authentication method, other authentication methods cannot be allowed.| |**Conflicts**|If you choose to require an additional authentication method, other authentication methods can't be allowed.|
|**When enabled**|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.| |**When enabled**|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.|
|**When disabled or not configured**|The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.| |**When disabled or not configured**|The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.|
@ -368,7 +368,7 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
|**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.| |**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.|
|**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on fixed data drives** check box.| |**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on fixed data drives** check box.|
|**When disabled**|Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives.| |**When disabled**|Users can't use smart cards to authenticate their access to BitLocker-protected fixed data drives.|
|**When not configured**|Smart cards can be used to authenticate user access to a BitLocker-protected drive.| |**When not configured**|Smart cards can be used to authenticate user access to a BitLocker-protected drive.|
**Reference** **Reference**
@ -388,8 +388,8 @@ This policy setting is used to require, allow, or deny the use of passwords with
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
|**Conflicts**|To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.| |**Conflicts**|To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.|
|**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.| |**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
|**When disabled**|The user is not allowed to use a password.| |**When disabled**|The user isn't allowed to use a password.|
|**When not configured**|Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.| |**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.|
**Reference** **Reference**
@ -399,18 +399,18 @@ When set to **Allow complexity**, a connection to a domain controller is attempt
When set to **Do not allow complexity**, no password complexity validation is performed. When set to **Do not allow complexity**, no password complexity validation is performed.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
> [!NOTE] > [!NOTE]
> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled. For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled.
This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that is used to validate password complexity is located on the domain controllers, local user accounts cannot access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive. This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that's used to validate password complexity is located on the domain controllers, local user accounts can't access the password filter because they're not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector can't be added to the drive.
Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive. Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
> [!IMPORTANT] > [!IMPORTANT]
> Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. > Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
### <a href="" id="bkmk-unlockpol7"></a>Configure use of smart cards on removable data drives ### <a href="" id="bkmk-unlockpol7"></a>Configure use of smart cards on removable data drives
@ -424,7 +424,7 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
|**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.| |**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.|
|**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on removable data drives** check box.| |**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on removable data drives** check box.|
|**When disabled or not configured**|Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.| |**When disabled or not configured**|Users aren't allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.|
|**When not configured**|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.| |**When not configured**|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.|
**Reference** **Reference**
@ -444,8 +444,8 @@ This policy setting is used to require, allow, or deny the use of passwords with
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
|**Conflicts**|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.| |**Conflicts**|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.|
|**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.| |**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
|**When disabled**|The user is not allowed to use a password.| |**When disabled**|The user isn't allowed to use a password.|
|**When not configured**|Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.| |**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.|
**Reference** **Reference**
@ -455,7 +455,7 @@ If you choose to allow the use of a password, you can require a password to be u
> [!NOTE] > [!NOTE]
> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the wanted number of characters in the **Minimum password length** box.
When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password.
@ -464,7 +464,7 @@ When set to **Allow complexity**, a connection to a domain controller will be at
When set to **Do not allow complexity**, no password complexity validation will be done. When set to **Do not allow complexity**, no password complexity validation will be done.
> [!NOTE] > [!NOTE]
> Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. > Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
@ -491,7 +491,7 @@ The object identifier is specified in the enhanced key usage (EKU) of a certific
The default object identifier is 1.3.6.1.4.1.311.67.1.1. The default object identifier is 1.3.6.1.4.1.311.67.1.1.
> [!NOTE] > [!NOTE]
> BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. > BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
### <a href="" id="bkmk-slates"></a>Enable use of BitLocker authentication requiring preboot keyboard input on slates ### <a href="" id="bkmk-slates"></a>Enable use of BitLocker authentication requiring preboot keyboard input on slates
@ -509,13 +509,13 @@ This policy setting allows users to enable authentication options that require u
**Reference** **Reference**
The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password. The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard.
If you do not enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available: If you don't enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available:
- Configure TPM startup PIN: Required and Allowed - Configure TPM startup PIN: Required and Allowed
- Configure TPM startup key and PIN: Required and Allowed - Configure TPM startup key and PIN: Required and Allowed
@ -532,7 +532,7 @@ This policy setting is used to require encryption of fixed drives prior to grant
|**Drive type**|Fixed data drives| |**Drive type**|Fixed data drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
|**Conflicts**|See the Reference section for a description of conflicts.| |**Conflicts**|See the Reference section for a description of conflicts.|
|**When enabled**|All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.| |**When enabled**|All fixed data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.|
|**When disabled or not configured**|All fixed data drives on the computer are mounted with Read and Write access.| |**When disabled or not configured**|All fixed data drives on the computer are mounted with Read and Write access.|
**Reference** **Reference**
@ -544,10 +544,10 @@ Conflict considerations include:
1. When this policy setting is enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts. 1. When this policy setting is enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts.
2. If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the following issues: 2. If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the following issues:
- If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition is not formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
- If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
- If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker." - If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker."
3. If this policy setting is enforced, a hard drive cannot be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers. 3. If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers.
### <a href="" id="bkmk-driveaccess2"></a>Deny write access to removable drives not protected by BitLocker ### <a href="" id="bkmk-driveaccess2"></a>Deny write access to removable drives not protected by BitLocker
@ -560,12 +560,12 @@ This policy setting is used to require that removable drives are encrypted prior
|**Drive type**|Removable data drives| |**Drive type**|Removable data drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
|**Conflicts**|See the Reference section for a description of conflicts.| |**Conflicts**|See the Reference section for a description of conflicts.|
|**When enabled**|All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.| |**When enabled**|All removable data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.|
|**When disabled or not configured**|All removable data drives on the computer are mounted with Read and Write access.| |**When disabled or not configured**|All removable data drives on the computer are mounted with Read and Write access.|
**Reference** **Reference**
If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting. If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it's checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
> [!NOTE] > [!NOTE]
> You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. > You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
@ -588,7 +588,7 @@ This policy setting is used to prevent users from turning BitLocker on or off on
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|You can select property settings that control how users can configure BitLocker.| |**When enabled**|You can select property settings that control how users can configure BitLocker.|
|**When disabled**|Users cannot use BitLocker on removable data drives.| |**When disabled**|Users can't use BitLocker on removable data drives.|
|**When not configured**|Users can use BitLocker on removable data drives.| |**When not configured**|Users can use BitLocker on removable data drives.|
**Reference** **Reference**
@ -614,27 +614,27 @@ This policy setting is used to control the encryption method and cipher strength
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.| |**When enabled**|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.|
|**When disabled or not configured**|Beginning with Windows 10, version 1511, or Windows 11, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.| |**When disabled or not configured**|Beginning with Windows 10, version 1511, or Windows 11, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script.
**Reference** **Reference**
The values of this policy determine the strength of the cipher that BitLocker uses for encryption. The values of this policy determine the strength of the cipher that BitLocker uses for encryption.
Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. If you enable this setting, you can configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.
For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm.
For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later, or Windows 11. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511 or later, or Windows 11.
Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
> [!WARNING] > [!WARNING]
> This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning. > This policy doesn't apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script. When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script.
### <a href="" id="bkmk-hdefxd"></a>Configure use of hardware-based encryption for fixed data drives ### <a href="" id="bkmk-hdefxd"></a>Configure use of hardware-based encryption for fixed data drives
This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
| | &nbsp; | | | &nbsp; |
|:---|:---| |:---|:---|
@ -643,16 +643,16 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
|**Drive type**|Fixed data drives| |**Drive type**|Fixed data drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| |**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
|**When disabled**|BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| |**When disabled**|BitLocker can't use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
|**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
**Reference** **Reference**
> [!NOTE] > [!NOTE]
> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
@ -668,25 +668,25 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
|**Drive type**|Operating system drives| |**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| |**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
|**When disabled**|BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| |**When disabled**|BitLocker can't use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
|**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
**Reference** **Reference**
If hardware-based encryption is not available, BitLocker software-based encryption is used instead. If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.
> [!NOTE] > [!NOTE]
> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
### <a href="" id="bkmk-hderdd"></a>Configure use of hardware-based encryption for removable data drives ### <a href="" id="bkmk-hderdd"></a>Configure use of hardware-based encryption for removable data drives
This policy controls how BitLocker reacts to encrypted drives when they are used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
| | &nbsp; | | | &nbsp; |
|:---|:---| |:---|:---|
@ -695,18 +695,18 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
|**Drive type**|Removable data drive| |**Drive type**|Removable data drive|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| |**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
|**When disabled**|BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| |**When disabled**|BitLocker can't use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
|**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
**Reference** **Reference**
If hardware-based encryption is not available, BitLocker software-based encryption is used instead. If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.
> [!NOTE] > [!NOTE]
> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
@ -722,7 +722,7 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
|**Drive type**|Fixed data drive| |**Drive type**|Fixed data drive|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.| |**When enabled**|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
|**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
**Reference** **Reference**
@ -730,7 +730,7 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
> [!NOTE] > [!NOTE]
> This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. > This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
@ -745,7 +745,7 @@ This policy controls whether operating system drives utilize Full encryption or
|**Drive type**|Operating system drive| |**Drive type**|Operating system drive|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.| |**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
|**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
**Reference** **Reference**
@ -753,7 +753,7 @@ This policy controls whether operating system drives utilize Full encryption or
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
> [!NOTE] > [!NOTE]
> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. > This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
@ -768,7 +768,7 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
|**Drive type**|Removable data drive| |**Drive type**|Removable data drive|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.| |**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
|**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
**Reference** **Reference**
@ -776,7 +776,7 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
> [!NOTE] > [!NOTE]
> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. > This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
@ -792,7 +792,7 @@ This policy setting is used to configure recovery methods for operating system d
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.| |**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.|
|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.| |**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.|
|**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.|
**Reference** **Reference**
@ -804,7 +804,7 @@ For more information about adding data recovery agents, see [BitLocker basic dep
In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password. In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for
the drive are determined by the policy setting. the drive are determined by the policy setting.
In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS. In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
@ -825,7 +825,7 @@ This policy setting is used to configure recovery methods for BitLocker-protecte
|**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista| |**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
|**Conflicts**|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the **Do not allow** option for both user recovery options, you must enable the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting to prevent a policy error.| |**Conflicts**|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the **Do not allow** option for both user recovery options, you must enable the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting to prevent a policy error.|
|**When enabled**|You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data.| |**When enabled**|You can configure the options that the BitLocker Setup Wizard displays to users for recovering BitLocker encrypted data.|
|**When disabled or not configured**|The BitLocker Setup Wizard presents users with ways to store recovery options.| |**When disabled or not configured**|The BitLocker Setup Wizard presents users with ways to store recovery options.|
**Reference** **Reference**
@ -838,10 +838,10 @@ Saving the recovery password to a USB drive stores the 48-digit recovery passwor
> [!IMPORTANT] > [!IMPORTANT]
> If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. > If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
> The 48-digit recovery password is not available in FIPS-compliance mode. > The 48-digit recovery password isn't available in FIPS-compliance mode.
> [!IMPORTANT] > [!IMPORTANT]
> To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs. > To prevent data loss, you must have a way to recover BitLocker encryption keys. If you don't allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
### <a href="" id="bkmk-rec3"></a>Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) ### <a href="" id="bkmk-rec3"></a>Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
@ -855,7 +855,7 @@ This policy setting is used to configure the storage of BitLocker recovery infor
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.| |**When enabled**|BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.|
|**When disabled or not configured**|BitLocker recovery information is not backed up to AD DS.| |**When disabled or not configured**|BitLocker recovery information isn't backed up to AD DS.|
**Reference** **Reference**
@ -865,11 +865,11 @@ This policy setting is applied when you turn on BitLocker.
BitLocker recovery information includes the recovery password and unique identifier data. You can also include a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted. BitLocker recovery information includes the recovery password and unique identifier data. You can also include a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted.
If you select **Require BitLocker backup to AD DS**, BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. If you select **Require BitLocker backup to AD DS**, BitLocker can't be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible.
A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drives BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted. A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drives BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted.
If the **Require BitLocker backup to AD DS** option is not selected, AD DS backup is attempted, but network or other backup failures do not prevent the BitLocker setup. The Backup process is not automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup. If the **Require BitLocker backup to AD DS** option isn't selected, AD DS backup is attempted, but network or other backup failures don't prevent the BitLocker setup. The Backup process isn't automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup.
TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up. TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up.
For more information about this setting, see [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings). For more information about this setting, see [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings).
@ -885,7 +885,7 @@ This policy setting is used to configure the default folder for recovery passwor
|**Drive type**|All drives| |**Drive type**|All drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.| |**When enabled**|You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path isn't valid, the BitLocker Setup Wizard displays the computer's top-level folder view.|
|**When disabled or not configured**|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.| |**When disabled or not configured**|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.|
**Reference** **Reference**
@ -893,7 +893,7 @@ This policy setting is used to configure the default folder for recovery passwor
This policy setting is applied when you turn on BitLocker. This policy setting is applied when you turn on BitLocker.
> [!NOTE] > [!NOTE]
> This policy setting does not prevent the user from saving the recovery password in another folder. > This policy setting doesn't prevent the user from saving the recovery password in another folder.
### <a href="" id="bkmk-rec6"></a>Choose how BitLocker-protected fixed drives can be recovered ### <a href="" id="bkmk-rec6"></a>Choose how BitLocker-protected fixed drives can be recovered
@ -907,7 +907,7 @@ This policy setting is used to configure recovery methods for fixed data drives.
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| |**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.|
|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.| |**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.|
|**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.|
**Reference** **Reference**
@ -917,10 +917,10 @@ The **Allow data recovery agent** check box is used to specify whether a data re
In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the `Repair-bde` command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde). For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde).
@ -941,7 +941,7 @@ This policy setting is used to configure recovery methods for removable data dri
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| |**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.|
|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.| |**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.|
|**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.|
**Reference** **Reference**
@ -951,7 +951,7 @@ The **Allow data recovery agent** check box is used to specify whether a data re
In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password. In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
@ -972,13 +972,13 @@ This policy setting is used to configure the entire recovery message and to repl
|**Policy path**|Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL| |**Policy path**|Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the **Use default recovery message and URL** option.| |**When enabled**|The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the **Use default recovery message and URL** option.|
|**When disabled or not configured**|If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.| |**When disabled or not configured**|If the setting hasn't been previously enabled, then the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is later disabled, then the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.|
**Reference** **Reference**
Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key. Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key.
Once you enable the setting you have three options: Once you enable the setting, you have three options:
- If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen. - If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen.
- If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. - If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
@ -988,11 +988,11 @@ Once you enable the setting you have three options:
> Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen. > Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
> [!IMPORTANT] > [!IMPORTANT]
> Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box. > Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you can't return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
### <a href="" id="bkmk-secboot"></a>Allow Secure Boot for integrity validation ### <a href="" id="bkmk-secboot"></a>Allow Secure Boot for integrity validation
This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy. This policy controls how BitLocker-enabled system volumes are handled with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
| | &nbsp; | | | &nbsp; |
|:---|:---| |:---|:---|
@ -1000,7 +1000,7 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc
|**Introduced**|Windows Server 2012 and Windows 8| |**Introduced**|Windows Server 2012 and Windows 8|
|**Drive type**|All drives| |**Drive type**|All drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|If you enable **Allow Secure Boot for integrity validation**, make sure the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation. <P> For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.| |**Conflicts**|If you enable **Allow Secure Boot for integrity validation**, make sure the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting isn't enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation. <P> For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.|
|**When enabled or not configured**|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.| |**When enabled or not configured**|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.|
|**When disabled**|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.| |**When disabled**|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.|
@ -1022,9 +1022,9 @@ This policy setting is used to establish an identifier that is applied to all dr
|**Introduced**|Windows Server 2008 R2 and Windows 7| |**Introduced**|Windows Server 2008 R2 and Windows 7|
|**Drive type**|All drives| |**Drive type**|All drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
|**Conflicts**|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer.| |**Conflicts**|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it's identical to the value that is configured on the computer.|
|**When enabled**|You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.| |**When enabled**|You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.|
|**When disabled or not configured**|The identification field is not required.| |**When disabled or not configured**|The identification field isn't required.|
**Reference** **Reference**
@ -1034,7 +1034,7 @@ An identification field is required to manage certificate-based data recovery ag
For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations. The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations.
You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
@ -1071,12 +1071,12 @@ This policy setting determines what values the TPM measures when it validates ea
|**Drive type**|Operating system drives| |**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| |**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
|**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.| |**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
**Reference** **Reference**
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection.
> [!IMPORTANT] > [!IMPORTANT]
> This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware. > This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
@ -1121,12 +1121,12 @@ This policy setting determines what values the TPM measures when it validates ea
|**Drive type**|Operating system drives| |**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| |**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
|**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.| |**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
**Reference** **Reference**
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
@ -1170,13 +1170,13 @@ This policy setting determines what values the TPM measures when it validates ea
|**Introduced**|Windows Server 2012 and Windows 8| |**Introduced**|Windows Server 2012 and Windows 8|
|**Drive type**|Operating system drives| |**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|Setting this policy with PCR 7 omitted, overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. <br/><p> If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured. <p> For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.| |**Conflicts**|Setting this policy with PCR 7 omitted, overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. <br/><p> If your environments use TPM and Secure Boot for platform integrity checks, this policy is configured. <p> For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.|
|**When enabled**|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| |**When enabled**|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
|**When disabled or not configured**|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.| |**When disabled or not configured**|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
**Reference** **Reference**
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
> [!IMPORTANT] > [!IMPORTANT]
> This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. > This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
@ -1194,7 +1194,7 @@ The following list identifies all of the PCRs available:
- PCR 6: Resume from S4 and S5 Power State Events - PCR 6: Resume from S4 and S5 Power State Events
- PCR 7: Secure Boot State - PCR 7: Secure Boot State
For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic. For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.
- PCR 8: Initialized to 0 with no Extends (reserved for future use) - PCR 8: Initialized to 0 with no Extends (reserved for future use)
- PCR 9: Initialized to 0 with no Extends (reserved for future use) - PCR 9: Initialized to 0 with no Extends (reserved for future use)
@ -1220,7 +1220,7 @@ This policy setting determines if you want platform validation data to refresh w
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.| |**When enabled**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
|**When disabled**|Platform validation data is not refreshed when Windows is started following a BitLocker recovery.| |**When disabled**|Platform validation data isn't refreshed when Windows is started following a BitLocker recovery.|
|**When not configured**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.| |**When not configured**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
**Reference** **Reference**
@ -1245,7 +1245,7 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t
**Reference** **Reference**
> [!NOTE] > [!NOTE]
> The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list. > The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it's included in the inclusion or the exclusion list.
### <a href="" id="bkmk-depopt4"></a>Allow access to BitLocker-protected fixed data drives from earlier versions of Windows ### <a href="" id="bkmk-depopt4"></a>Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
@ -1259,14 +1259,14 @@ This policy setting is used to control whether access to drives is allowed by us
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled and When not configured**|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.| |**When enabled and When not configured**|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
|**When disabled**|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.| |**When disabled**|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.|
**Reference** **Reference**
> [!NOTE] > [!NOTE]
> This policy setting does not apply to drives that are formatted with the NTFS file system. > This policy setting doesn't apply to drives that are formatted with the NTFS file system.
When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
### <a href="" id="bkmk-depopt5"></a>Allow access to BitLocker-protected removable data drives from earlier versions of Windows ### <a href="" id="bkmk-depopt5"></a>Allow access to BitLocker-protected removable data drives from earlier versions of Windows
@ -1280,18 +1280,18 @@ This policy setting controls access to removable data drives that are using the
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
|**Conflicts**|None| |**Conflicts**|None|
|**When enabled and When not configured**|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.| |**When enabled and When not configured**|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
|**When disabled**|Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.| |**When disabled**|Removable data drives that are formatted with the FAT file system that are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.|
**Reference** **Reference**
> [!NOTE] > [!NOTE]
> This policy setting does not apply to drives that are formatted with the NTFS file system. > This policy setting doesn't apply to drives that are formatted with the NTFS file system.
When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed. When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that don't have BitLocker To Go Reader installed.
## FIPS setting ## FIPS setting
You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users cannot create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted. You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.
| | &nbsp; | | | &nbsp; |
|:---|:---| |:---|:---|
@ -1299,15 +1299,15 @@ You can configure the Federal Information Processing Standard (FIPS) setting for
|**Introduced**|Windows Server 2003 with SP1| |**Introduced**|Windows Server 2003 with SP1|
|**Drive type**|System-wide| |**Drive type**|System-wide|
|**Policy path**|Local Policies\Security Options\System cryptography: **Use FIPS compliant algorithms for encryption, hashing, and signing**| |**Policy path**|Local Policies\Security Options\System cryptography: **Use FIPS compliant algorithms for encryption, hashing, and signing**|
|**Conflicts**|Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems.| |**Conflicts**|Some applications, such as Terminal Services, don't support FIPS-140 on all operating systems.|
|**When enabled**|Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.| |**When enabled**|Users will be unable to save a recovery password to any location. This includes AD DS and network folders. Also, you can't use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.|
|**When disabled or not configured**|No BitLocker encryption key is generated| |**When disabled or not configured**|No BitLocker encryption key is generated|
**Reference** **Reference**
This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead. This policy must be enabled before any encryption key is generated for BitLocker. When this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
You can save the optional recovery key to a USB drive. Because recovery passwords cannot be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy. You can save the optional recovery key to a USB drive. Because recovery passwords can't be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy.
You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures. You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures.
@ -1315,11 +1315,11 @@ For more information about setting this policy, see [System cryptography: Use FI
## Power management Group Policy settings: Sleep and Hibernate ## Power management Group Policy settings: Sleep and Hibernate
PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the systems battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users are not required to re-authenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised. PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the systems battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised.
However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting does not have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states. However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.
You can use disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states: You can disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states:
- Allow Standby States (S1-S3) When Sleeping (Plugged In) - Allow Standby States (S1-S3) When Sleeping (Plugged In)
- Allow Standby States (S1-S3) When Sleeping (Battery) - Allow Standby States (S1-S3) When Sleeping (Battery)
@ -1332,7 +1332,7 @@ Changing from the default platform validation profile affects the security and m
**About PCR 7** **About PCR 7**
PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This
reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration. reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration.
PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol). PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol).

4
windows/security/information-protection/tpm/change-the-tpm-owner-password.md
View File

@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/03/2021 ms.date: 01/18/2022
--- ---
# Change the TPM owner password # Change the TPM owner password
@ -46,7 +46,7 @@ Instead of changing your owner password, you can also use the following options
## Change the TPM owner password ## Change the TPM owner password
With Windows 10, version 1507 or 1511, or Windows 11, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password. With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout. To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout.

3
windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
View File

@ -20,8 +20,7 @@ ms.reviewer:
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default. Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.

3
windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
View File

@ -20,8 +20,7 @@ ms.reviewer:
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
Windows Information Protection (WIP) creates audit events in the following situations: Windows Information Protection (WIP) creates audit events in the following situations:

54
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -18,10 +18,10 @@ ms.reviewer:
--- ---
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
@ -33,10 +33,12 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. 1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
2. Run this command: 2. Run this command:
<code>cipher /r:<i>EFSRA</i></code> ```cmd
cipher /r:EFSRA
Where *EFSRA* is the name of the .cer and .pfx files that you want to create. ```
Where *EFSRA* is the name of the `.cer` and `.pfx` files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. 3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
@ -58,7 +60,9 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
<code>cipher /c <i>filename</i></code> ```cmd
cipher /c filename
```
Where *filename* is the name of the file you created in Step 1. Where *filename* is the name of the file you created in Step 1.
@ -72,9 +76,11 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: 3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
<code>cipher /d <i>encryptedfile.extension</i></code> ```cmd
cipher /d encryptedfile.extension
Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx. ```
Where *encryptedfile.extension* is the name of your encrypted file. For example, `corporatedata.docx`.
## Recover WIP-protected after unenrollment ## Recover WIP-protected after unenrollment
@ -84,26 +90,34 @@ It's possible that you might revoke data from an unenrolled device only to later
>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. >To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
1. Have the employee sign in to the unenrolled device, open an elevated command prompt, and type: 1. Have the employee sign in to the unenrolled device, open an elevated command prompt, and type:
<code>Robocopy "%localappdata%\Microsoft\EDP\Recovery" "<i>new_location</i>" * /EFSRAW</code> ```cmd
Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW
```
Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent. Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**. To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
![Robocopy in S mode.](images/robocopy-s-mode.png) ![Robocopy in S mode.](images/robocopy-s-mode.png)
If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type: If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type:
<code>Robocopy "<i>drive_letter</i>:\System Volume Information\EDP\Recovery\" "<i>new_location</i>" * /EFSRAW</code> ```cmd
Robocopy "drive_letter:\System Volume Information\EDP\Recovery\" "new_location" * /EFSRAW
```
2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
<code>cipher.exe /D "<i>new_location</i>"</code> ```cmd
cipher.exe /D "new_location"
```
3. Have your employee sign in to the unenrolled device, and type: 3. Have your employee sign in to the unenrolled device, and type:
<code>Robocopy "<i>new_location</i>" "%localappdata%\Microsoft\EDP\Recovery\Input"</code> ```cmd
Robocopy "new_location" "%localappdata%\Microsoft\EDP\Recovery\Input"
```
4. Ask the employee to lock and unlock the device. 4. Ask the employee to lock and unlock the device.
@ -127,7 +141,8 @@ The employee experience is based on sign in with an Azure AD work account. The e
After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again. After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again.
**To test what the employee sees during the WIP key recovery process** ### To test what the employee sees during the WIP key recovery process
1. Attempt to open a work file on an unenrolled device. 1. Attempt to open a work file on an unenrolled device.
The **Connect to Work to access work files** box appears. The **Connect to Work to access work files** box appears.
@ -139,6 +154,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
3. Sign-in to Azure AD as the employee and verify that the files now open 3. Sign-in to Azure AD as the employee and verify that the files now open
## Related topics ## Related topics
- [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10)) - [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10))
- [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10)) - [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10))
@ -151,4 +167,4 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
>[!Note] >[!Note]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

53
windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
View File

@ -17,53 +17,46 @@ ms.date: 02/26/2019
ms.reviewer: ms.reviewer:
--- ---
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune # Associate and deploy a VPN policy for Windows Information Protection (WIP) using Endpoint Manager
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
## Associate your WIP policy to your VPN policy by using Microsoft Intune ## Associate your WIP policy to your VPN policy using Endpoint Manager
Follow these steps to associate your WIP policy with your organization's existing VPN policy.
**To associate your policies** To associate your WIP policy with your organization's existing VPN policy, use the following steps:
1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration). 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. - **Platform**: Select **Windows 10 and later**
- **Profile**: Select **Templates** > **Custom**.
![Microsoft Intune, Create a new policy using the portal.](images/wip-azure-vpn-device-policy.png) 4. Select **Create**.
5. In **Basics**, enter the following properties:
3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
![Microsoft Intune, Create a new policy using the Create Profile blade.](images/wip-azure-vpn-configure-policy.png) 6. Select **Next**.
7. In **Configuration settings**, enter the following properties:
4. In the **Custom OMA-URI Settings** blade, click **Add**. - **Name**: Enter a name for your setting. For example, enter `EDPModeID`.
- **OMA-URI**: Enter `./Vendor/MSFT/VPNv2/YourVPNProfileName/EDPModeId`.
- **Data type**: Select `String`.
- **Value**: Type your fully-qualified domain that should be used by the OMA-URI setting. For example, enter `corp.contoso.com`.
5. In the **Add Row** blade, type: For more information on these settings, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
- **Name.** Type a name for your setting, such as *EDPModeID*. 8. Select **Next**, and continue configuring the policy. For the specific steps and recommendations, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
- **Description.** Type an optional description for your setting.
- **OMA-URI.** Type _./Vendor/MSFT/VPNv2/&lt;VPNProfileName&gt;/EDPModeId_ into the box.
- **Data type.** Select **String** from the dropdown box
- **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
![Microsoft Intune, Add your OMA-URI settings.](images/wip-azure-vpn-custom-omauri.png)
6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
7. Click **Create** to create the policy, including your OMA_URI info.
## Deploy your VPN policy using Microsoft Intune ## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
**To deploy your Custom VPN policy** After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. 1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.

146
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -19,8 +19,7 @@ ms.reviewer:
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device. Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.
@ -28,10 +27,10 @@ Microsoft Intune has an easy way to create and deploy a Windows Information Prot
You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences: You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences:
- MAM has additional **Access** settings for Windows Hello for Business. - MAM has more **Access** settings for Windows Hello for Business.
- MAM can [selectively wipe company data](/intune/apps-selective-wipe) from a user's personal device. - MAM can [selectively wipe company data](/intune/apps-selective-wipe) from a user's personal device.
- MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). - MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. - An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
- MAM supports only one user per device. - MAM supports only one user per device.
- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md). - MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
- Only MDM can use [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) policies. - Only MDM can use [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) policies.
@ -40,15 +39,15 @@ You can create an app protection policy in Intune either with device enrollment
## Prerequisites ## Prerequisites
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
## Configure the MDM or MAM provider ## Configure the MDM or MAM provider
1. Sign in to the Azure portal. 1. Sign in to the Azure portal.
2. Click **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**. 2. Select **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**: 3. Select **Restore Default URLs** or enter the settings for MDM or MAM user scope and select **Save**:
![Configure MDM or MAM provider.](images/mobility-provider.png) ![Configure MDM or MAM provider.](images/mobility-provider.png)
@ -56,11 +55,11 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). 1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**. 2. Open Microsoft Intune and select **Apps** > **App protection policies** > **Create policy**.
![Open Client apps.](images/create-app-protection-policy.png) ![Open Client apps.](images/create-app-protection-policy.png)
3. In the **App policy** screen, click **Add a policy**, and then fill out the fields: 3. In the **App policy** screen, select **Add a policy**, and then fill out the fields:
- **Name.** Type a name (required) for your new policy. - **Name.** Type a name (required) for your new policy.
@ -72,7 +71,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
![Add a mobile app policy.](images/add-a-mobile-app-policy.png) ![Add a mobile app policy.](images/add-a-mobile-app-policy.png)
4. Click **Protected apps** and then click **Add apps**. 4. Select **Protected apps** and then select **Add apps**.
![Add protected apps.](images/add-protected-apps.png) ![Add protected apps.](images/add-protected-apps.png)
@ -87,13 +86,13 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
### Add recommended apps ### Add recommended apps
Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**. Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and select **OK**.
![Microsoft Intune management console: Recommended apps.](images/recommended-apps.png) ![Microsoft Intune management console: Recommended apps.](images/recommended-apps.png)
### Add Store apps ### Add Store apps
Select **Store apps**, type the app product name and publisher, and click **OK**. For example, to add the Power BI Mobile App from the Store, type the following: Select **Store apps**, type the app product name and publisher, and select **OK**. For example, to add the Power BI Mobile App from the Store, type the following:
- **Name**: Microsoft Power BI - **Name**: Microsoft Power BI
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` - **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
@ -101,15 +100,15 @@ Select **Store apps**, type the app product name and publisher, and click **OK**
![Add Store app.](images/add-a-protected-store-app.png) ![Add Store app.](images/add-a-protected-store-app.png)
To add multiple Store apps, click the ellipsis **…**. To add multiple Store apps, select the ellipsis `…`.
If you don't know the Store app publisher or product name, you can find them by following these steps. If you don't know the Store app publisher or product name, you can find them by following these steps.
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*. 1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. 2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is `https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1`, and you'd copy the ID value, `9nblgggzlxn1`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value. 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata`, where `9nblgggzlxn1` is replaced with your ID value.
The API runs and opens a text editor with the app details. The API runs and opens a text editor with the app details.
@ -132,6 +131,7 @@ If you don't know the Store app publisher or product name, you can find them by
> "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
> } > }
<!-- 01.06.2022 mandia: Commenting out, as these events are specific to Windows Phone.
> [!NOTE] > [!NOTE]
> Your PC and phone must be on the same wireless network. > Your PC and phone must be on the same wireless network.
@ -160,6 +160,8 @@ If you don't know the Store app publisher or product name, you can find them by
> "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
> } > }
-->
### Add Desktop apps ### Add Desktop apps
To add **Desktop apps**, complete the following fields, based on what results you want returned. To add **Desktop apps**, complete the following fields, based on what results you want returned.
@ -167,14 +169,14 @@ To add **Desktop apps**, complete the following fields, based on what results yo
|Field|Manages| |Field|Manages|
|--- |--- | |--- |--- |
|All fields marked as “*”|All files signed by any publisher. (Not recommended and may not work)| |All fields marked as “*”|All files signed by any publisher. (Not recommended and may not work)|
|Publisher only|If you only fill out this field, youll get all files signed by the named publisher.This might be useful if your company is the publisher and signer of internal line-of-business apps.| |Publisher only|If you only fill out this field, youll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
|Publisher and Name only|If you only fill out these fields, youll get all files for the specified product, signed by the named publisher.| |Publisher and Name only|If you only fill out these fields, youll get all files for the specified product, signed by the named publisher.|
|Publisher, Name, and File only|If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.| |Publisher, Name, and File only|If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.|
|Publisher, Name, File, and Min version only|If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.This option is recommended for enlightened apps that weren't previously enlightened.| |Publisher, Name, File, and Min version only|If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
|Publisher, Name, File, and Max version only|If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.| |Publisher, Name, File, and Max version only|If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
|All fields completed|If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.| |All fields completed|If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.|
To add another Desktop app, click the ellipsis **…**. After youve entered the info into the fields, click **OK**. To add another Desktop app, select the ellipsis **…**. After youve entered the info into the fields, select **OK**.
![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png) ![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png)
@ -200,7 +202,7 @@ Path Publisher
Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name. Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
Regarding to how to get the Product Name for the Apps you wish to Add, please reach out to our Windows Support Team to request the guidelines Regarding to how to get the Product Name for the Apps you wish to Add, contact the Windows Support Team to request the guidelines
### Import a list of apps ### Import a list of apps
@ -215,35 +217,35 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
1. Open the Local Security Policy snap-in (SecPol.msc). 1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. 2. Expand **Application Control Policies**, expand **AppLocker**, and then select **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules.](images/wip-applocker-secpol-1.png) ![Local security snap-in, showing the Packaged app Rules.](images/wip-applocker-secpol-1.png)
3. Right-click in the right-hand blade, and then click **Create New Rule**. 3. Right-click in the right side, and then select **Create New Rule**.
The **Create Packaged app Rules** wizard appears. The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, click **Next**. 4. On the **Before You Begin** page, select **Next**.
![Screenshot of the Before You Begin tab.](images/wip-applocker-secpol-wizard-1.png) ![Screenshot of the Before You Begin tab.](images/wip-applocker-secpol-wizard-1.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then select **Next**.
![Screenshot of the Permissions tab with "Allow" and "Everyone" selected](images/wip-applocker-secpol-wizard-2.png) ![Screenshot of the Permissions tab with "Allow" and "Everyone" selected](images/wip-applocker-secpol-wizard-2.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. 6. On the **Publisher** page, choose **Select** from the **Use an installed packaged app as a reference** area.
![Screenshot of the "Use an installed package app as a reference" radio button selected and the Select button highlighted](images/wip-applocker-secpol-wizard-3.png) ![Screenshot of the "Use an installed package app as a reference" radio button selected and the Select button highlighted](images/wip-applocker-secpol-wizard-3.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Dynamics 365. 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, were using Microsoft Dynamics 365.
![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png) ![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png)
8. On the updated **Publisher** page, click **Create**. 8. On the updated **Publisher** page, select **Create**.
![Screenshot of the Publisher tab.](images/wip-applocker-secpol-wizard-5.png) ![Screenshot of the Publisher tab.](images/wip-applocker-secpol-wizard-5.png)
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. 9. Select **No** in the dialog box that appears, asking if you want to create the default rules. Don't create default rules for your WIP policy.
![Screenshot of AppLocker warning.](images/wip-applocker-default-rule-warning.png) ![Screenshot of AppLocker warning.](images/wip-applocker-default-rule-warning.png)
@ -251,15 +253,15 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
![Local security snap-in, showing the new rule.](images/wip-applocker-secpol-create.png) ![Local security snap-in, showing the new rule.](images/wip-applocker-secpol-create.png)
10. In the left blade, right-click on **AppLocker**, and then click **Export policy**. 10. On the left, right-click on **AppLocker**, and then select **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML. The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option.](images/wip-applocker-secpol-export.png) ![Local security snap-in, showing the Export Policy option.](images/wip-applocker-secpol-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy. The policy is saved and youll see a message that says one rule was exported from the policy.
**Example XML file**<br> **Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Dynamics 365. This is the XML file that AppLocker creates for Microsoft Dynamics 365.
@ -291,40 +293,40 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
1. Open the Local Security Policy snap-in (SecPol.msc). 1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**. 2. In the left pane, select **Application Control Policies** > **AppLocker** > **Executable Rules**.
3. Right-click **Executable Rules** > **Create New Rule**. 3. Right-click **Executable Rules** > **Create New Rule**.
![Local security snap-in, showing the Executable Rules.](images/create-new-path-rule.png) ![Local security snap-in, showing the Executable Rules.](images/create-new-path-rule.png)
4. On the **Before You Begin** page, click **Next**. 4. On the **Before You Begin** page, select **Next**.
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then select **Next**.
6. On the **Conditions** page, click **Path** and then click **Next**. 6. On the **Conditions** page, select **Path** and then select **Next**.
![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png) ![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png)
7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, were using "C:\Program Files". 7. Select **Browse Folders...** and select the path for the unsigned apps. For this example, were using "C:\Program Files".
![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png) ![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png)
8. On the **Exceptions** page, add any exceptions and then click **Next**. 8. On the **Exceptions** page, add any exceptions and then select **Next**.
9. On the **Name** page, type a name and description for the rule and then click **Create**. 9. On the **Name** page, type a name and description for the rule and then select **Create**.
10. In the left pane, right-click **AppLocker** > **Export policy**. 10. In the left pane, right-click **AppLocker** > **Export policy**.
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy. The policy is saved and youll see a message that says one rule was exported from the policy.
12. After youve created your XML file, you need to import it by using Microsoft Intune. 12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import a list of protected apps using Microsoft Intune** **To import a list of protected apps using Microsoft Intune**
1. In **Protected apps**, click **Import apps**. 1. In **Protected apps**, select **Import apps**.
![Import protected apps.](images/import-protected-apps.png) ![Import protected apps.](images/import-protected-apps.png)
@ -332,20 +334,20 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
![Microsoft Intune, Importing your AppLocker policy file using Intune.](images/wip-azure-import-apps.png) ![Microsoft Intune, Importing your AppLocker policy file using Intune.](images/wip-azure-import-apps.png)
2. Browse to your exported AppLocker policy file, and then click **Open**. 2. Browse to your exported AppLocker policy file, and then select **Open**.
The file imports and the apps are added to your **Protected apps** list. The file imports and the apps are added to your **Protected apps** list.
### Exempt apps from a WIP policy ### Exempt apps from a WIP policy
If your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. If your app is incompatible with WIP, but still needs to be used with enterprise data, then you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
1. In **Client apps - App protection policies**, click **Exempt apps**. 1. In **Client apps - App protection policies**, select **Exempt apps**.
![Exempt apps.](images/exempt-apps.png) ![Exempt apps.](images/exempt-apps.png)
2. In **Exempt apps**, click **Add apps**. 2. In **Exempt apps**, select **Add apps**.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data. When you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data.
3. Fill out the rest of the app info, based on the type of app youre adding: 3. Fill out the rest of the app info, based on the type of app youre adding:
@ -357,40 +359,40 @@ If your app is incompatible with WIP, but still needs to be used with enterprise
- [Import apps](#import-a-list-of-apps) - [Import apps](#import-a-list-of-apps)
4. Click **OK**. 4. Select **OK**.
## Manage the WIP protection mode for your enterprise data ## Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**. We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**.
1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**. 1. From **App protection policy**, select the name of your policy, and then select **Required settings**.
![Microsoft Intune, Required settings blade showing Windows Information Protection mode.](images/wip-azure-required-settings-protection-mode.png) ![Microsoft Intune, Required settings shows Windows Information Protection mode.](images/wip-azure-required-settings-protection-mode.png)
|Mode |Description | |Mode |Description |
|-----|------------| |-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|
2. Click **Save**. 2. Select **Save**.
## Define your enterprise-managed corporate identity ## Define your enterprise-managed corporate identity
Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field. Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
**To change your corporate identity** **To change your corporate identity**
1. From the **App policy** blade, click the name of your policy, and then click **Required settings**. 1. From **App policy**, select the name of your policy, and then select **Required settings**.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. 2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field.
![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png) ![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png)
3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**. 3. To add domains, such your email domain names, select **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
![Add protected domains.](images/add-protected-domains.png) ![Add protected domains.](images/add-protected-domains.png)
@ -399,17 +401,17 @@ After you've added a protection mode to your apps, you'll need to decide where t
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**. To define the network boundaries, select **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
![Microsoft Intune, Set where your apps can access enterprise data on your network.](images/wip-azure-advanced-settings-network.png) ![Microsoft Intune, Set where your apps can access enterprise data on your network.](images/wip-azure-advanced-settings-network.png)
Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**. Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then select **OK**.
### Cloud resources ### Cloud resources
Specify the cloud resources to be treated as corporate and protected by WIP. Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource.
Be aware that all traffic routed through your Internal proxy servers is considered enterprise. All traffic routed through your Internal proxy servers is considered enterprise.
Separate multiple resources with the "|" delimiter. Separate multiple resources with the "|" delimiter.
For example: For example:
@ -418,7 +420,7 @@ For example:
URL <,proxy>|URL <,proxy> URL <,proxy>|URL <,proxy>
``` ```
Personal applications will be able to access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL. Personal applications can access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL.
To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks). To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks).
@ -448,7 +450,7 @@ contoso.sharepoint.com|contoso.visualstudio.com|contoso.onedrive.com,
### Protected domains ### Protected domains
Specify the domains used for identities in your environment. Specify the domains used for identities in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected. All traffic to the fully qualified domains appearing in this list will be protected.
Separate multiple domains with the "|" delimiter. Separate multiple domains with the "|" delimiter.
```console ```console
@ -458,7 +460,7 @@ exchange.contoso.com|contoso.com|region.contoso.com
### Network domains ### Network domains
Specify the DNS suffixes used in your environment. Specify the DNS suffixes used in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected. All traffic to the fully qualified domains appearing in this list will be protected.
Separate multiple resources with the "," delimiter. Separate multiple resources with the "," delimiter.
```console ```console
@ -527,13 +529,13 @@ Separate multiple resources with the "," delimiter.
sts.contoso.com,sts.contoso2.com sts.contoso.com,sts.contoso2.com
``` ```
Decide if you want Windows to look for additional network settings: Decide if you want Windows to look for more network settings:
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you turn this off, Windows will search for additional proxy servers in your immediate network. - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you turn this off, Windows will search for more proxy servers in your immediate network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network. - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for more IP ranges on any domain-joined devices connected to your network.
![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png) ![Microsoft Intune, Choose if you want Windows to search for more proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png)
## Upload your Data Recovery Agent (DRA) certificate ## Upload your Data Recovery Agent (DRA) certificate
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
@ -542,11 +544,11 @@ After you create and deploy your WIP policy to your employees, Windows begins to
>Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). >Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
**To upload your DRA certificate** **To upload your DRA certificate**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. 1. From **App policy**, select the name of your policy, and then select **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears. **Advanced settings** shows.
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. 2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate.](images/wip-azure-advanced-settings-efsdra.png) ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate.](images/wip-azure-advanced-settings-efsdra.png)
@ -559,15 +561,15 @@ After you've decided where your protected apps can access enterprise data on you
- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if youre migrating between Mobile Device Management (MDM) solutions. - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if youre migrating between Mobile Device Management (MDM) solutions.
**Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Also, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS templates license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp). **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS templates license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp).
- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesnt actually apply Azure Information Protection to the files. - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesnt actually apply Azure Information Protection to the files.
@ -586,11 +588,11 @@ After you've decided where your protected apps can access enterprise data on you
## Encrypted file extensions ## Encrypted file extensions
You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. You can restrict which files are protected by WIP when they're downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied.
![WIP encrypted file extensions.](images/wip-encrypted-file-extensions.png) ![WIP encrypted file extensions.](images/wip-encrypted-file-extensions.png)
## Related topics ## Related articles
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)

5
windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
View File

@ -21,12 +21,11 @@ ms.reviewer:
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
**To deploy your WIP policy** ## To deploy your WIP policy
1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy. 1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy.

1
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -23,7 +23,6 @@ ms.date: 05/02/2019
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.

4
windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
View File

@ -21,12 +21,12 @@ ms.date: 02/26/2019
# General guidance and best practices for Windows Information Protection (WIP) # General guidance and best practices for Windows Information Protection (WIP)
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP). This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
## In this section ## In this section
|Topic |Description | |Topic |Description |
|------|------------| |------|------------|
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |

1
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -21,7 +21,6 @@ ms.reviewer:
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.

4
windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
View File

@ -20,12 +20,12 @@ ms.date: 02/26/2019
# Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager # Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section ## In this section
|Topic |Description | |Topic |Description |
|------|------------| |------|------------|
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |

2
windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
View File

@ -21,11 +21,11 @@ ms.date: 03/11/2019
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section ## In this section
|Topic |Description | |Topic |Description |
|------|------------| |------|------------|
|[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |

1
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -23,7 +23,6 @@ ms.date: 03/05/2019
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).

25
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -22,25 +22,25 @@ ms.reviewer:
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically. We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically.
## Recommended Enterprise Cloud Resources ## Recommended Enterprise Cloud Resources
This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization. This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.
|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting<br>(Replace "contoso" with your domain name(s)| |If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting<br>(Replace "contoso" with your domain name(s)|
|-----------------------------|---------------------------------------------------------------------| |-----------------------------|---------------------------------------------------------------------|
|Sharepoint Online |<ul><li>contoso.sharepoint.com</li><li>contoso-my.sharepoint.com</li><li>contoso-files.sharepoint.com</li></ul> | |Sharepoint Online |- `contoso.sharepoint.com`<br/>- `contoso-my.sharepoint.com`<br/>- `contoso-files.sharepoint.com` |
|Yammer |<ul><li>www.yammer.com</li><li>yammer.com</li><li>persona.yammer.com</li></ul> | |Yammer |- `www.yammer.com`<br/>- `yammer.com`<br/>- `persona.yammer.com` |
|Outlook Web Access (OWA) |<ul><li>outlook.office.com</li><li>outlook.office365.com</li><li>attachments.office.net</li></ul> | |Outlook Web Access (OWA) |- `outlook.office.com`<br/>- `outlook.office365.com`<br/>- `attachments.office.net` |
|Microsoft Dynamics |contoso.crm.dynamics.com | |Microsoft Dynamics |`contoso.crm.dynamics.com` |
|Visual Studio Online |contoso.visualstudio.com | |Visual Studio Online |`contoso.visualstudio.com` |
|Power BI |contoso.powerbi.com | |Power BI |`contoso.powerbi.com` |
|Microsoft Teams |teams.microsoft.com | |Microsoft Teams |`teams.microsoft.com` |
|Other Office 365 services |<ul><li>tasks.office.com</li><li>protection.office.com</li><li>meet.lync.com</li><li>project.microsoft.com</li></ul> | |Other Office 365 services |- `tasks.office.com`<br/>- `protection.office.com`<br/>- `meet.lync.com`<br/>- `project.microsoft.com` |
You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both. You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
@ -54,7 +54,6 @@ When multiple files are selected from SharePoint Online or OneDrive, the files a
## Recommended Neutral Resources ## Recommended Neutral Resources
We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP). We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).
<ul>
<li>login.microsoftonline.com</li> - `login.microsoftonline.com`
<li>login.windows.net</li> - `login.windows.net`
</ul>

6
windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
View File

@ -21,7 +21,6 @@ ms.reviewer:
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
@ -35,8 +34,3 @@ Because Outlook on the web can be used both personally and as part of your organ
>[!NOTE] >[!NOTE]
>These limitations dont apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employees mailbox as corporate data, regardless of how youve configured outlook.office.com in your network settings. >These limitations dont apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employees mailbox as corporate data, regardless of how youve configured outlook.office.com in your network settings.

12
windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
View File

@ -20,8 +20,7 @@ ms.reviewer:
# Determine the Enterprise Context of an app running in Windows Information Protection (WIP) # Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
@ -53,10 +52,5 @@ The **Enterprise Context** column shows you what each app can do with your enter
- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). - **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
>**Important**<br>Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. > [!Important]
> Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.

11
windows/security/information-protection/windows-information-protection/wip-learning.md
View File

@ -21,8 +21,7 @@ ms.date: 02/26/2019
# Fine-tune Windows Information Protection (WIP) with WIP Learning # Fine-tune Windows Information Protection (WIP) with WIP Learning
**Applies to:** **Applies to:**
- Windows 10, version 1703 and later - Windows 10, version 1703 and later
- Windows 10 Mobile, version 1703 and later
With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune. With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
@ -32,11 +31,9 @@ In the **Website learning report**, you can view a summary of the devices that h
## Access the WIP Learning reports ## Access the WIP Learning reports
1. Open the [Azure portal](https://portal.azure.com/). 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. 1. Click **Client apps** > **App protection status** > **Reports**.
1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png) ![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png)
@ -114,4 +111,4 @@ The information needed for the following steps can be found using Device Health,
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
>[!NOTE] >[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

8
windows/security/threat-protection/auditing/audit-registry.md
View File

@ -11,7 +11,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 12/16/2021 ms.date: 01/05/2021
ms.technology: windows-sec ms.technology: windows-sec
--- ---
@ -48,6 +48,6 @@ If success auditing is enabled, an audit entry is generated each time any accoun
> [!NOTE] > [!NOTE]
> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". > On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". This behavior is expected only on later versions of the operating system (Windows 11, Windows Server 2022, and later). On previous versions, 4656 events are not generated during subkey creation.
>
Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. > Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.

4
windows/security/threat-protection/auditing/event-4673.md
View File

@ -173,7 +173,7 @@ For 4673(S, F): A privileged service was called.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). > **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events. - Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. See subcategories [Audit Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use) and [Audit Non Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use) for more details.
- If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.” - If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.”
@ -193,4 +193,4 @@ For 4673(S, F): A privileged service was called.
- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.” - If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.” - If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”

5
windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 01/05/2022
ms.technology: windows-sec ms.technology: windows-sec
--- ---
@ -43,6 +43,9 @@ Although it might be appropriate in some organizations to allow users to install
- It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer. - It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer.
> [!NOTE]
> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options

334
windows/security/threat-protection/windows-10-mobile-security-guide.md
View File

@ -1,334 +0,0 @@
---
title: Windows 10 Mobile security guide (Windows 10)
description: The most important security features in the Windows 10 Mobile — identity access & control, data protection, malware resistance, and app platform security.
ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205
ms.reviewer:
manager: dansimp
ms.author: dansimp
keywords: data protection, encryption, malware resistance, smartphone, device, Microsoft Store
ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
ms.localizationpriority: medium
author: dulcemontemayor
ms.date: 10/13/2017
ms.technology: windows-sec
---
# Windows 10 Mobile security guide
*Applies to Windows 10 Mobile, version 1511 and Windows Mobile, version 1607*
>This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the users personal apps and data.
Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include:
- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods.
- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps.
- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices.
This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware.
**In this article:**
- Windows Hello for Business
- Windows Information Protection
- Malware resistance
## Windows Hello
Windows 10 Mobile includes Windows Hello, a simple, yet powerful, multifactor authentication solution that confirms a users identity before allowing access to corporate confidential information and resources. Multifactor authentication is a more secure alternative to password-based device security. Users dislike having to enter long, complex passwords particularly on a mobile device touch screen that corporate policy requires they change frequently. This leads to poor security practices like password reuse, written down passwords, or weak password creation.
Windows Hello offers a simple, cost-effective way to deploy multifactor authentication across your organization. Unlike smart cards, it does not require public key infrastructure or the implementation of additional hardware. Workers use a PIN, a companion device (like Microsoft Band), or biometrics to validate their identity for accessing corporate resources on their Azure Active Directory (Azure AD) registered Windows 10 Mobile device.
Because Windows Hello is supported across all Windows 10 devices, organizations can uniformly implement multifactor authentication across their environment. Deploying Windows Hello on Windows 10 Mobile devices does require Azure AD (sold separately), but you can use Azure AD Connect to synchronize with your on-premises Active Directory services.
Windows Hello supports iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors.
> [!NOTE]
> When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
### <a href="" id="secured-credentials"></a>Secured credentials
Windows Hello eliminates the use of passwords for login, reducing the risk that an attacker will steal and reuse a users credentials. Windows 10 Mobile devices are required to have a Trusted Platform Module (TPM), a microchip that enables advanced security features. The TPM creates encryption keys that are “wrapped” with the TPMs own storage root key, which is itself stored within the TPM to prevent credentials from being compromised. Encryption keys created by the TPM can only be decrypted by the same TPM, which protects the key material from attackers who want to capture and reuse it.
To compromise Windows Hello credentials, an attacker would need access to the physical device, and then find a way to spoof the users biometric identity or guess his or her PIN. All of this would have to be accomplished before TPM brute-force resistance capabilities lock the mobile device, the theft-protection mechanism kicks in, or the user or corporate administrator remotely wipes the device. With TPM-based protection, an attackers window of opportunity for compromising a users credentials is greatly reduced.
### <a href="" id="support-for-biometrics"></a>Support for biometrics
Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the users device and be able to impersonate the users biometric identity to gain access to corporate resources, which is far more difficult than stealing a password.
Windows Hello supports three biometric sensor scenarios:
- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
- **Fingerprint recognition** uses a sensor to scan the users fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
- **Iris scanning** uses cameras designed to scan the users iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
> [!NOTE]
> Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture.
All three of these biometric factors face, finger, and iris are unique to an individual. To capture enough data to uniquely identify an individual, a biometric scanner might initially capture images in multiple conditions or with additional details. For example, an iris scanner will capture images of both eyes or both eyes with and without eyeglasses or contact lenses.
Spoofing biometric data is often a big concern in enterprise environments. Microsoft employs several anti-spoofing techniques in Windows 10 Mobile that verify the trustworthiness of the biometric device, as well as guard against intentional collision with stored biometric measurements. These techniques help improve the false-acceptance rate (the rate at which spoofed biometric data is accepted as authentic) while maintaining the overall usability and manageability of MFA.
The biometric image collected at enrollment is converted into an algorithmic form that cannot be converted back into the original image. Only the algorithmic form is kept; the actual biometric image is removed from the device after conversion. Windows 10 Mobile devices both encrypt the algorithmic form of the biometric data and bind the encrypted data to the device, both of which help prevent someone from removing the data from the phone. As a result, the biometric information that Windows Hello uses is a local gesture and doesnt roam among the users devices.
### <a href="" id="companion-devices"></a>Companion devices
A Windows Hello companion device enables a physical device, like a wearable, to serve as a factor for validating the users identity before granting them access to their credentials. For instance, when the user has physical possession of a companion device they can easily, possibly even automatically, unlock their PC and authenticate with apps and websites. This type of device can be useful for smartphones or tablets that dont have integrated biometric sensors or for industries where users need a faster, more convenient sign-in experience, such as retail.
### <a href="" id="standards-based-approach"></a>Standards-based approach
The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms.
In 2014, Microsoft joined the board of the FIDO Alliance. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for both enterprises and consumers.
## Windows Information Protection
Enterprises have seen huge growth in the convergence of personal and corporate data storage. Personal data is frequently stored on corporate devices and vice versa. This fluidity increases the potential for sensitive corporate data to be accidentally compromised.
Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. Its easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity.
Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include:
- Automatically tag personal and corporate data.
- Protect data while its at rest on local or removable storage.
- Control which apps can access corporate data.
- Control which apps can access a virtual private network (VPN) connection.
- Prevent users from copying corporate data to public locations.
- Help ensure business data is inaccessible when the device is in a locked state.
### <a href="" id="enlightened-apps"></a>Enlightened apps
Third-party data loss protection solutions usually require developers to wrap their apps. However, Windows Information Protection builds this intelligence right into Windows 10 Mobile so most apps require nothing extra to prevent inappropriate corporate data sharing.
Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
When you do not want all data encrypted by default because it would create a poor user experience developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
- Dont use common controls for saving files.
- Dont use common controls for text boxes.
- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance).
In many cases, most apps dont require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data.
**When is app enlightenment required?**
- **Required**
- App needs to work with both personal and enterprise data.
- **Recommended**
- App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldnt be able to properly revoke these apps.
- App needs to access enterprise data, while protection under lock is activated.
- **Not required**
- App handles only corporate data
- App handles only personal data
### <a href="" id="companion-devices"></a>Data leakage control
To configure Windows Information Protection in a Mobile Device Management (MDM) solution that supports it, simply add authorized apps to the allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, unauthorized apps will not have access to enterprise data.
Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Windows Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data.
The extent to which users will be prevented from copying and pasting data from authorized apps to unauthorized apps or locations on the web depends on which protection level is set:
- **Block.** Windows Information Protection blocks users from completing the operation.
- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log.
- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log.
### <a href="" id="companion-devices"></a>Data separation
Most third-party solutions require an app wrapper that directs enterprise data into a password-protected container and keeps personal data outside the container. Depending on the implementation, this may require two different versions of the same apps to be running on the device: one for personal data and another for enterprise data.
Windows Information Protection provides data separation without requiring a container or special version of an app to access business or personal data. There is no separate login required to see your corporate data or open your corporate applications. Windows Information Protection identifies enterprise data and encrypts it to only enterprise use. Data separation is automatic and seamless.
### <a href="" id="companion-devices"></a>Encryption
Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device.
You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices.
- Cryptography
- Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.
- TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.
- BitLocker
- Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.
To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello.
### <a href="" id="companion-devices"></a>Government Certifications
Windows 10 Mobile supports both [FIPS 140 standards](http://csrc.nist.gov/groups/STM/cavp/validation.html) for cryptography and [Common Criteria](https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10694) The FIPS 140 certification validates the effectiveness of the cryptographic algorithms used in Windows 10 Mobile. Microsoft has also received Common Criteria certification for Windows 10 Mobile running on Lumia 950, 950 XL, 550, 635, as well as Surface Pro 4, giving customers assurance that securety functionality is implemented properly.
## Malware resistance
The best way to fight malware is prevention. Windows 10 Mobile provides strong malware resistance through secured hardware, startup process defenses, core operating system architecture, and application-level protections.
The table below outlines how Windows 10 Mobile mitigates specific malware threats.
|Threat|Windows 10 Mobile mitigation|
|--- |--- |
|Firmware bootkits replace the firmware with malware.|All certified devices include Unified Extensible Firmware (UEFI) with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.|
|Bootkits start malware before Windows starts.|UEFI with Secure Boot verifies Windows bootloader integrity to help ensure that no malicious operating system can start before Windows.|
|System or driver rootkits (typically malicious software that hides from the operating system) start kernel- level malware while Windows is starting, before antimalware solutions can start.|Windows Trusted Boot verifies Windows boot components, including Microsoft drivers. Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure that Trusted Boot and other boot components successfully checked the system.|
|An app infects other apps or the operating system with malware.|All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.|
|An unauthorized app or malware attempts to start on the device.|All Windows 10 Mobile apps must come from Microsoft Store or Microsoft Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.|
|User-level malware exploits a vulnerability in the system or an application and owns the device.|Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.<p>Protected Processes isolates non-trusted processes from each other and from sensitive operating system components.|
|Users access a dangerous website without knowledge of the risk.|The Windows Defender SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.|
|Malware exploits a vulnerability in a browser add-on.|Microsoft Edge is an app built on the Universal Windows Platform (UWP) that does not run legacy binary extensions, including Microsoft ActiveX and browser helper objects frequently used for toolbars, which eliminates these risks.|
|A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.|Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.|
> [!NOTE]
> The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
### <a href="" id="companion-devices"></a>UEFI with Secure Boot
When a Windows 10 Mobile device starts, it begins the process of loading the operating system by locating the bootloader in the devices storage system. Without safeguards in place, the phone might simply hand control over to the bootloader without even determining whether its a trusted operating system or malware.
UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also helps to ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the mobile phone.
UEFI can run internal integrity checks that verify the firmwares digital signature before running it. Because only the mobile phones manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection against firmware-based malware that loads before Windows 10 Mobile and to try and hide its malicious behavior from the operating system. Firmware-based malware of this nature is typically called bootkits.
When a mobile device with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloaders digital signature to verify that no one has modified it after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloaders digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing.
All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature. Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx)
### <a href="" id="companion-devices"></a>Trusted Platform Module
A Trusted Platform Module (TPM) is a tamper-resistant cryptographic module that enhances the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a PC, tablet, or smartphone. A trusted computing platform is specially designed to work with the TPM to support privacy and security scenarios that software alone cannot achieve. A TPM is required to receive Windows 10 Mobile device hardware certification.
A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling a reliable report of the software used to start a platform.
The following list describes key functionality that a TPM provides in Windows 10 Mobile:
- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys.
- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component from firmware up through the drivers and then stores those measurements in the devices TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device.
- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM.
Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. When the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since then, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection, as well as the ability to plug-in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
Many assume that original equipment manufacturers (OEMs) must implant a TPM in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 Mobile supports only firmware TPM that complies with the 2.0 standard. Windows does not differentiate between discrete and firmware-based solutions because both must meet the same implementation and security requirements. Therefore, any Windows 10 feature that can take advantage of TPM can be used with Windows 10 Mobile.
> [!NOTE]
> Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
Several Windows 10 Mobile security features require TPM:
- Virtual smart cards
- Measured Boot
- Health attestation (requires TPM 2.0 or later)
Still other features will use the TPM if it is available. For example, Windows Hello does not require TPM but uses it if its available. Organizations can configure policy to require TPM for Windows Hello.
### <a href="" id="companion-devices"></a>Biometrics
Windows 10 Mobile makes biometrics a core security feature. Microsoft has fully integrated biometrics into the Windows 10 Mobile security components, not just tacked it on top of the platform (as was the case in previous versions of Windows). This is a big change. Earlier biometric implementations were largely front-end methods that simplified authentication. Under the hood, the system used biometrics to access a password, which it then used for authentication behind the scenes. Biometrics may have provided convenience, but not necessarily enterprise-grade authentication.
Microsoft has been evangelizing the importance of enterprise-grade biometric sensors to the OEMs that create Windows 10 Mobile devices. These facial-recognition and iris-scanning sensors are fully supported by Windows Hello.
In the future, Microsoft expects OEMs to produce even more advanced enterprise-grade biometric sensors and to continue integrating them into mobile devices. As a result, biometrics will become a commonplace authentication method as part of an MFA system.
### <a href="" id="trusted-boot"></a>Trusted Boot
UEFI with Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the device, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system.
When UEFI with Secure Boot verifies that it trusts the bootloader and starts Windows 10 Mobile, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (e.g., signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, and startup files.
### <a href="" id="measured-boot"></a>Measured Boot
In earlier versions of Windows, the biggest challenge with rootkits and bootkits was that they could frequently be undetectable to the client. Because they often started before Windows defenses and the antimalware solution and they had system-level privileges rootkits and bootkits could completely disguise themselves while continuing to access system resources. Although UEFI with Secure Boot and Trusted Boot could prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (e.g., if someone compromised the signature used to sign a boot component, such as a non-Microsoft driver, and used it to sign a malicious one).
Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hardware component to record a series of measurements for critical startup-related components, including firmware, Windows boot components, and drivers. Because Measured Boot uses the hardware-based security capabilities of TPM, which isolates and protects the measurement data against malware attacks, the log data is well protected against even sophisticated attacks.
Measured Boot focuses on acquiring the measurement data and protecting it against tampering. To provide more complete security, it must be coupled with a service that can analyze the data to determine device health.
### <a href="" id="device-health-attestation"></a>Device Health Attestation
Device Health Attestation (DHA) is a new feature in Windows 10 Mobile that helps prevent low-level malware infections. DHA uses a devices TPM and firmware to measure the critical security properties of the devices BIOS and Windows startup processes. These measurements are made in such a way that even on a system infected with kernel-level malware or a rootkit, an attacker is unlikely to spoof the properties.
You can use DHA with Microsoft Intune (sold separately) or a third-party MDM solution to combine hardware-measured security properties with other device properties and gain an overall view of the devices health and compliance state. This integration can be useful in a variety of scenarios, including detecting jailbroken devices, monitoring device compliance, generating compliance reports, alerting users or administrators, initiating corrective action on the device, and managing conditional access to resources such as Office 365.
The example that follows shows how Windows 10 protective measures integrate and work with Intune and third-party MDM solutions. It demonstrates how the phone security architecture in Windows 10 Mobile can help you monitor and verify compliance and how the security and trust rooted in the device hardware can protect end-to-end corporate resources.
When a user turns a phone on:
1. The Secure Boot feature in Windows 10 Mobile helps protect the startup sequence, allows the device to boot into a defined and trusted configuration, and loads a factory-trusted boot loader.
2. Windows 10 Mobile Trusted Boot takes control when the Secure Boot process is complete, verifying the digital signature of the Windows kernel and the components that are loaded and executed during the startup process.
3. In parallel to steps 1 and 2, the phones TPM runs independently in a hardware-protected security zone (isolated from the boot execution path, which monitors boot activities). It creates a protected, tamper-evident audit trail, signed with a secret that only the TPM can access.
4. Devices that are DHA-enabled send a copy of this audit trail to the Microsoft Health Attestation service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.
5. HAS reviews the audit trails, issues an encrypted and signed report, and forwards it to the device.
6. From your DHA-enabled MDM solution, you can review the report in a protected, tamper-resistant, and tamper-evident communication channel to assess whether the device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with the organizations security needs and policies.
Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider implementing a DHA-enabled MDM system like Intune. It can take advantage of the Windows 10 Mobile cloud-based health attestation server feature to detect and block devices infected with advanced malware.
### <a href="" id="device-guard"></a>Device Guard
Device Guard is a feature set that consists of both hardware and software system integrityhardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model.
All apps on Windows 10 Mobile must be digitally signed and come from Microsoft Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Microsoft Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app does not have a digital signature, is prevented by policy, or does not come from a trusted store, it will not run on Windows 10 Mobile.
Advanced hardware features, described above, drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot.
### <a href="" id="address-space-layout-randomaization"></a>Address Space Layout Randomization
One of the most common techniques used by attackers to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data reside, and overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations.
Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts.
![figure 3.](images/mobile-security-guide-figure3.png)
Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system.
### <a href="" id="data-execution-prevention"></a>Data Execution Prevention
Malware depends on its ability to insert a malicious payload into memory with the hope that an unsuspecting user will execute it later. While ASLR makes that more difficult, Windows 10 Mobile extends that protection to prevent malware from running if written to an area that you have allocated solely for the storage of information. Data Execution Prevention (DEP) substantially reduces the range of memory that malicious code can use for its benefit. DEP uses the **No execute** bit on modern CPUs to mark blocks of memory as read-only so that malware cant use those blocks to execute malicious code. All Windows 10 and Windows 10 Mobile devices support DEP.
### <a href="" id="companion-devices"></a>Windows heap
The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use.
Windows 10 Mobile has made several important improvements to the security of the heap over previous versions of Windows:
- Internal data structures that the heap uses are better protected against memory corruption.
- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable.
- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app.
### <a href="" id="memeory-reservation"></a>Memory reservations
Microsoft reserves the lowest 64 KB of process memory for the operating system. Apps are no longer allowed to allocate that portion of the memory, making it more difficult for malware to overwrite critical system data structures in memory.
### <a href="" id="control-flow-guard"></a>Control Flow Guard
When Windows loads applications into memory, it allocates space to those applications based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships among the code locations are well known they are written in the code itself. However, until Windows 10 Mobile, the operating system didnt enforce the flow among these locations, giving attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run.
Windows 10 Mobile mitigates this kind of threat through Control Flow Guard (CFG). When a trusted application that its creator compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If CFG doesnt trust the location, it immediately terminates the application as a potential security risk.
You cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when he or she compiles the application. Because browsers are a key entry point for attacks, Microsoft Edge takes full advantage of CFG.
### <a href="" id="protected-processes"></a>Protected Processes
Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, additional malware controls are required.
If malware is running on a system, you need to limit what it can do Protected Processes prevents untrusted processes from tampering with those that have been specially signed. Protected Processes defines levels of trust for processes: it prevents less trusted processes from interacting with and therefore attacking more trusted processes. Windows 10 Mobile uses Protected Processes broadly throughout the operating system.
### <a href="" id="appcontainer"></a>AppContainer
The Windows 10 Mobile security model is based on the principle of least privilege and uses isolation to achieve it. Every app and even portions of the operating system itself run inside their own isolated sandbox called an AppContainer a secured isolation boundary within which an app and its processes can run. Each AppContainer is defined and implemented through a security policy.
The security policy of a specific AppContainer defines the operating system capabilities that apps have access to from within the AppContainer, such as geographical location information, camera, microphone, networking, or sensors.
A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. Access to other capabilities can be declared within the app code itself. Unlike traditional desktop applications, access to additional capabilities and privileges cannot be requested at run time.
The AppContainer concept is advantageous because it provides:
- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types.
Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the apps age rating and publisher.
The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesnt assume that any component is perfect. However, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, redundant vulnerability mitigations are needed. The next several topics describe some of the redundant mitigations in Windows 10 Mobile.
### <a href="" id="microsoft-edge"></a>Microsoft Edge
The web browser is a critical component of any security strategy. It is the users interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways:
- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability.
- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
## Summary
Windows 10 Mobile provides security on personal and corporate-owned devices to protect against unauthorized access, data leakage, and malware threats. All of the features covered in this paper multifactor authentication, data separation, and malware resistance are seamlessly incorporated into the operating system. This means enterprises are protected without compromising the productivity and ease of use that drives users to bring mobile devices into the workplace.
## Revision History
November 2015 Updated for Windows 10 Mobile (version 1511)
July 2016 Updated for Windows 10 Mobile Anniversary Update (version 1607)

Some files were not shown because too many files have changed in this diff Show More