deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 21:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'do_docs' of https://github.com/cmknox/windows-docs-pr into do_docs

Browse Source
This commit is contained in:
[cmknox] 2024-10-16 11:45:45 -06:00
commit f25eddb2a9
526 changed files with 14969 additions and 9933 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.github/workflows/Stale.yml vendored Normal file
View File

@ -0,0 +1,19 @@
name: (Scheduled) Mark stale pull requests
permissions:
issues: write
pull-requests: write
on:
schedule:
- cron: "0 */6 * * *"
workflow_dispatch:
jobs:
stale:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-Stale.yml@workflows-prod
with:
RunDebug: false
RepoVisibility: ${{ github.repository_visibility }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}

1
.openpublishing.publish.config.json
View File

@ -251,7 +251,6 @@
".openpublishing.redirection.browsers.json",
".openpublishing.redirection.education.json",
".openpublishing.redirection.json",
".openpublishing.redirection.store-for-business.json",
".openpublishing.redirection.windows-application-management.json",
".openpublishing.redirection.windows-client-management.json",
".openpublishing.redirection.windows-configuration.json",

6
.openpublishing.redirection.json
View File

@ -11492,12 +11492,12 @@
},
{
"source_path": "windows/plan/windows-10-deployment-considerations.md",
"redirect_url": "/windows/deployment/planning/windows-10-deployment-considerations",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-deployment-considerations",
"redirect_document_id": false
},
{
"source_path": "windows/plan/windows-10-enterprise-faq-itpro.md",
"redirect_url": "/windows/deployment/planning/windows-10-enterprise-faq-itpro",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-enterprise-faq-itpro",
"redirect_document_id": false
},
{
@ -11507,7 +11507,7 @@
},
{
"source_path": "windows/plan/windows-10-infrastructure-requirements.md",
"redirect_url": "/windows/deployment/planning/windows-10-infrastructure-requirements",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-infrastructure-requirements",
"redirect_document_id": false
},
{

299
.openpublishing.redirection.store-for-business.json
View File

@ -1,299 +0,0 @@
{
"redirections": [
{
"source_path": "store-for-business/acquire-apps-windows-store-for-business.md",
"redirect_url": "/microsoft-store/acquire-apps-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/add-unsigned-app-to-code-integrity-policy.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control",
"redirect_document_id": false
},
{
"source_path": "store-for-business/app-inventory-managemement-windows-store-for-business.md",
"redirect_url": "/microsoft-store/app-inventory-management-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/app-inventory-management-windows-store-for-business.md",
"redirect_url": "/microsoft-store/app-inventory-management-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/apps-in-windows-store-for-business.md",
"redirect_url": "/microsoft-store/apps-in-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/configure-mdm-provider-windows-store-for-business.md",
"redirect_url": "/microsoft-store/configure-mdm-provider-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/device-guard-signing-portal.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md",
"redirect_url": "/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-apps-windows-store-for-business-overview.md",
"redirect_url": "/microsoft-store/manage-apps-microsoft-store-for-business-overview",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-mpsa-software-microsoft-store-for-business.md",
"redirect_url": "/microsoft-store/index",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-orders-windows-store-for-business.md",
"redirect_url": "/microsoft-store/manage-orders-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-settings-windows-store-for-business.md",
"redirect_url": "/microsoft-store/manage-settings-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-users-and-groups-windows-store-for-business.md",
"redirect_url": "/microsoft-store/manage-users-and-groups-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/prerequisites-windows-store-for-business.md",
"redirect_url": "/microsoft-store/prerequisites-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/roles-and-permissions-windows-store-for-business.md",
"redirect_url": "/microsoft-store/roles-and-permissions-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/settings-reference-windows-store-for-business.md",
"redirect_url": "/microsoft-store/settings-reference-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-code-integrity-policy-with-device-guard-signing.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-up-microsoft-store-for-business.md",
"redirect_url": "/microsoft-store",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-up-windows-store-for-business-overview.md",
"redirect_url": "/microsoft-store/sign-up-microsoft-store-for-business-overview",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-up-windows-store-for-business.md",
"redirect_url": "/microsoft-store/index",
"redirect_document_id": false
},
{
"source_path": "store-for-business/troubleshoot-windows-store-for-business.md",
"redirect_url": "/microsoft-store/troubleshoot-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/update-windows-store-for-business-account-settings.md",
"redirect_url": "/microsoft-store/update-microsoft-store-for-business-account-settings",
"redirect_document_id": false
},
{
"source_path": "store-for-business/windows-store-for-business-overview.md",
"redirect_url": "/microsoft-store/microsoft-store-for-business-overview",
"redirect_document_id": false
},
{
"source_path": "store-for-business/work-with-partner-microsoft-store-business.md",
"redirect_url": "/microsoft-365/commerce/manage-partners",
"redirect_document_id": false
},
{
"source_path": "store-for-business/acquire-apps-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/add-profile-to-devices.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/app-inventory-management-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/apps-in-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/assign-apps-to-employees.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/billing-payments-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/billing-profile.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/billing-understand-your-invoice-msfb.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/configure-mdm-provider-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-apps-from-your-private-store.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-apps-with-management-tool.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/distribute-offline-apps.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/find-and-acquire-apps-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/index.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-access-to-private-store.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-apps-microsoft-store-for-business-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-orders-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-private-store-settings.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-settings-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/manage-users-and-groups-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/microsoft-store-for-business-education-powershell-module.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/microsoft-store-for-business-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/notifications-microsoft-store-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/payment-methods.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/prerequisites-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/release-history-microsoft-store-business-education.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/roles-and-permissions-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/settings-reference-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sfb-change-history.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-up-microsoft-store-for-business-overview.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/troubleshoot-microsoft-store-for-business.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/update-microsoft-store-for-business-account-settings.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/whats-new-microsoft-store-business-education.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
},
{
"source_path": "store-for-business/working-with-line-of-business-apps.md",
"redirect_url": "/microsoft-365/admin/",
"redirect_document_id": false
}
]
}

60
.openpublishing.redirection.windows-deployment.json
View File

@ -1595,6 +1595,51 @@
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md",
"redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-feature-activation",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md",
"redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-feature-activation",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/manage/windows-autopatch-manage-windows-feature-update-releases.md",
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/update/deployment-service-overview.md",
"redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/update/deployment-service-prerequisites.md",
"redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/update/deployment-service-feature-updates.md",
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/update/deployment-service-expedited-updates.md",
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/update/deployment-service-drivers.md",
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/update/deployment-service-troubleshoot.md",
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/update/PSFxWhitepaper.md",
"redirect_url": "/windows/deployment/update/forward-reverse-differentials",
@ -1604,6 +1649,21 @@
"source_path": "windows/deployment/upgrade/windows-10-upgrade-paths.md",
"redirect_url": "/windows/deployment/upgrade/windows-upgrade-paths",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/windows-10-infrastructure-requirements.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-infrastructure-requirements",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/windows-10-enterprise-faq-itpro.yml",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-enterprise-faq-itpro",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/windows-10-deployment-considerations.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-deployment-considerations",
"redirect_document_id": false
}
]
}

4631
.openpublishing.redirection.windows-security.json
View File

File diff suppressed because it is too large Load Diff

4
education/windows/edu-take-a-test-kiosk-mode.md
View File

@ -1,7 +1,7 @@
---
title: Configure Take a Test in kiosk mode
description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
ms.date: 11/08/2023
ms.date: 09/06/2024
ms.topic: how-to
---
@ -26,7 +26,7 @@ The other options allow you to configure Take a Test in kiosk mode using a local
Follow the instructions below to configure your devices, selecting the option that best suits your needs.
# [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
# [:::image type="icon" source="images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
You can use Intune for Education or a custom profile in Microsoft Intune:

12
education/windows/index.yml
View File

@ -12,22 +12,16 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.date: 07/22/2024
ms.date: 10/10/2024
highlightedContent:
items:
- title: Get started with Windows 11 SE
itemType: get-started
url: windows-11-se-overview.md
- title: Windows 11, version 23H2
- title: Windows 11, version 24H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-23h2
url: /windows/whats-new/whats-new-windows-11-version-24h2
- title: Explore all Windows trainings and learning paths for IT pros
itemType: learn
url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
- title: Deploy applications to Windows 11 SE with Intune
itemType: how-to-guide
url: /education/windows/tutorial-deploy-apps-winse
productDirectory:
title: Get started

2
education/windows/take-a-test-app-technical.md
View File

@ -1,7 +1,7 @@
---
title: Take a Test app technical reference
description: List of policies and settings applied by the Take a Test app.
ms.date: 11/02/2023
ms.date: 09/06/2024
ms.topic: reference
---

2
education/windows/windows-11-se-faq.yml
View File

@ -3,7 +3,7 @@ metadata:
title: Windows 11 SE Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.
ms.topic: faq
ms.date: 01/16/2024
ms.date: 10/10/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>

2
education/windows/windows-11-se-overview.md
View File

@ -2,7 +2,7 @@
title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: overview
ms.date: 01/09/2024
ms.date: 10/10/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:

2
education/windows/windows-11-se-settings-list.md
View File

@ -2,7 +2,7 @@
title: Windows 11 SE settings list
description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
ms.topic: reference
ms.date: 05/06/2024
ms.date: 10/10/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:

6
includes/licensing/windows-defender-application-control-wdac.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/18/2023
ms.date: 09/23/2024
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows Defender Application Control (WDAC):
The following table lists the Windows editions that support App Control for Business:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Windows Defender Application Control (WDAC) license entitlements are granted by the following licenses:
App Control license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

7
store-for-business/breadcrumb/toc.yml
View File

@ -1,7 +0,0 @@
- name: Docs
tocHref: /
topicHref: /
items:
- name: Microsoft Store for Business
tocHref: /microsoft-store
topicHref: /microsoft-store/index

81
store-for-business/docfx.json
View File

@ -1,81 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/**.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Archive",
"is_archived": true,
"is_retired": true,
"ROBOTS": "NOINDEX,NOFOLLOW",
"ms.author": "trudyha",
"audience": "ITPro",
"ms.service": "store-for-business",
"ms.topic": "article",
"ms.date": "05/09/2017",
"searchScope": [
"Store"
],
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.store-for-business",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"dstrome2",
"rjagiewich",
"American-Dipper",
"claydetels19",
"jborsecnik",
"v-stchambers",
"shdyas",
"Stacyrch140",
"garycentric",
"dstrome",
"alekyaj",
"aditisrivastava07",
"padmagit77"
]
},
"fileMetadata": {},
"template": [],
"dest": "store-for-business",
"markdownEngineName": "markdig"
}
}

2
windows/application-management/index.yml
View File

@ -9,7 +9,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 06/28/2024
ms.date: 09/27/2024
ms.topic: landing-page
ms.service: windows-client
ms.subservice: itpro-apps

6
windows/application-management/overview-windows-apps.md
View File

@ -4,7 +4,7 @@ description: Learn about the different types of apps that run on Windows. For ex
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 06/28/2024
ms.date: 09/03/2024
ms.topic: overview
ms.service: windows-client
ms.subservice: itpro-apps
@ -126,9 +126,7 @@ For more information, see:
When you use the Microsoft Store app, Windows users can download apps from the public store. They can also download apps provided by your organization, which is called the *private store*. If your organization creates its own apps, you can use [Windows Package Manager](/windows/package-manager) to add apps to the private store.
> [!NOTE]
> Retirement of the Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
>
> For more information, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/bc-p/3771217). This blog post describes the new Microsoft Store experience for both Windows 11 and Windows 10. To learn about other options for getting and managing apps, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft).
> The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring). There will be no support for Microsoft Store for Business and Education for Windows 11.
To help manage the Microsoft Store on your devices, you can use policies:

20
windows/application-management/per-user-services-in-windows.md
View File

@ -4,7 +4,7 @@ description: Learn about per-user services, how to change the template service s
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 12/22/2023
ms.date: 10/01/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps
@ -229,14 +229,14 @@ If you can't use group policy preferences to manage the per-user services, you c
1. The following example includes multiple commands that disable the specified Windows services by changing their **Start** value in the Windows Registry to `4`:
```cmd
REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
```
```cmd
REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
```
#### Example 2: Use the Registry Editor user interface to edit the registry
@ -248,7 +248,7 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
1. Change the **Value data** to `4`.
:::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
:::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
#### Example 3: Prevent the creation of per-user services

4
windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
View File

@ -4,7 +4,7 @@ description: Use the Company Portal app in Windows 11 devices to access the priv
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 04/04/2023
ms.date: 09/03/2023
ms.topic: conceptual
ms.service: windows-client
ms.subservice: itpro-apps
@ -104,4 +104,4 @@ If you use a third party or partner MDM provider, be sure to configure the setti
## Windows Package Manager
If your organization creates its own apps, your app developers can use [Windows Package Manager](/windows/package-manager/) to deploy apps. For more information on Intune and Windows Package Manager, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423).
If your organization creates its own apps, your app developers can use [Windows Package Manager](/windows/package-manager/) to deploy apps. For more information on Intune and Windows Package Manager, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423) and [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).

2
windows/application-management/sideload-apps-in-windows.md
View File

@ -4,7 +4,7 @@ description: Learn how to sideload line-of-business (LOB) apps in Windows client
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 12/22/2023
ms.date: 09/27/2024
ms.topic: how-to
ms.service: windows-client
ms.subservice: itpro-apps

6
windows/client-management/client-tools/quick-assist.md
View File

@ -106,6 +106,7 @@ For more information, visit [Install Quick Assist](https://support.microsoft.com
To deploy Quick Assist with Intune, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft).
<!-- commenting out since Store for Business and Microsoft Store for Education retired May 31, 20203
### Install Quick Assist Offline
To install Quick Assist offline, you need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
@ -113,7 +114,7 @@ To install Quick Assist offline, you need to download your APPXBUNDLE and unenco
1. Start **Windows PowerShell** with Administrative privileges
1. In PowerShell, change the directory to the location where you saved the file in step 1: `cd <location of package file>`
1. To install Quick Assist, run the following command: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
1. After Quick Assist is installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
1. After Quick Assist is installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers` -->
### Microsoft Edge WebView2
@ -139,6 +140,9 @@ If your organization utilizes another remote support tool such as [Remote Help](
To disable Quick Assist, block traffic to the `https://remoteassistance.support.services.microsoft.com` endpoint. This is the primary endpoint used by Quick Assist to establish a session, and once blocked, Quick Assist can't be used to get help or help someone.
> [!NOTE]
> Blocking the endpoint will disrupt the functionality of Remote Help, as it relies on this endpoint for operation.
### Uninstall Quick Assist
#### Uninstall via PowerShell

197
windows/client-management/declared-configuration-discovery.md Normal file
View File

@ -0,0 +1,197 @@
---
title: Windows declared configuration discovery
description: Learn more about configuring discovery for Windows declared configuration enrollment.
ms.date: 09/12/2024
ms.topic: how-to
---
# Declared configuration discovery
Windows Declared configuration (WinDC) discovery uses a dedicated JSON schema to query enrollment details from the [discovery service endpoint (DS)](/openspecs/windows_protocols/ms-mde2/60deaa44-52df-4a47-a844-f5b42037f7d3#gt_8d76dac8-122a-452b-8c97-b25af916f19b). This process involves sending HTTP requests with specific headers and a JSON body containing details such as user domain, tenant ID, and OS version. The DS responds with the necessary enrollment service URLs and authentication policies based on the enrollment type (Microsoft Entra joined or registered devices).
This article outlines the schema structure for the HTTP request and response bodies, and provides examples to guide the implementation.
## Schema structure
### HTTP request headers
| Header | Required | Description |
|----------------------------------|----------|-----------------------------------|
| `MS-CV: %s` | No | Correlation vector for enrollment |
| `client-request-id: %s` | No | Request ID |
| `Content-Type: application/json` | Yes | HTTP Content-Type |
### HTTP request body (JSON)
| Field | Required | Description |
|--|--|--|
| `userDomain` | No | Domain name of the enrolled account |
| `upn` | No | User Principal Name (UPN) of the enrolled account |
| `tenantId` | No | Tenant ID of the enrolled account |
| `emmDeviceId` | No | Enterprise mobility management (EMM) device ID of the enrolled account |
| `enrollmentType` | Entra joined: No <br>Entra registered: Yes | Enrollment type of the enrolled account. <br><br>Supported Values: <br>- `Device`: Indicates the parent enrollment type is Entra joined (DS response should specify "AuthPolicy": "Federated"). <br>- `User`: Indicates parent enrollment type is Entra registered (DS response should specify "AuthPolicy": "Certificate"). <br>- Legacy case (Entra joined only): If the `enrollmentType` parameter isn't included in the request body, the device should be treated as Entra joined. |
| `osVersion` | Yes | OS version on the device. The DS can use the `osVersion` to determine if the client platform supports WinDC enrollment. Review [supported platforms](declared-configuration.md#supported-platforms) for details. |
### HTTP DS response body (JSON)
| Field | Required | Description |
|------------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------|
| `EnrollmentServiceUrl` | Yes | URL of the WinDC enrollment service |
| `EnrollmentVersion` | No | Enrollment version |
| `EnrollmentPolicyServiceUrl` | Yes | Enrollment Policy Service URL |
| `AuthenticationServiceUrl` | Yes | Authentication Service URL |
| `ManagementResource` | No | Management Resource |
| `TouUrl` | No | Terms of use URL |
| `AuthPolicy` | Yes | Authentication policy. Supported values: <br>- `Federated` (required for Entra joined) <br>- `Certificate` (required for Entra registered) |
| `errorCode` | No | Error code |
| `message` | No | Status message |
## Examples
### Discovery request
**Headers**
`Content-Type: application/json`
**Body**
1. Single template approach: Client sends the **UPN** value in the initial request, along with the **tenantId** parameter.
1. Microsoft Entra joined:
```json
{
"userDomain" : "contoso.com",
"upn" : "johndoe@contoso.com",
"tenantId" : "00000000-0000-0000-0000-000000000000",
"emmDeviceId" : "00000000-0000-0000-0000-000000000000",
"enrollmentType" : "Device",
"osVersion" : "10.0.00000.0"
}
```
1. Microsoft Entra registered:
```json
{
"userDomain" : "contoso.com",
"upn" : "johndoe@contoso.com",
"tenantId" : "00000000-0000-0000-0000-000000000000",
"emmDeviceId" : "00000000-0000-0000-0000-000000000000",
"enrollmentType" : "Device",
"osVersion" : "10.0.00000.0"
}
```
1. No UPN (legacy)
1. Microsoft Entra joined:
```json
{
"userDomain" : "contoso.com",
"emmDeviceId" : "00000000-0000-0000-0000-000000000000",
"enrollmentType" : "Device",
"osVersion" : "10.0.00000.0"
}
```
1. Microsoft Entra registered:
```json
{
"userDomain" : "contoso.com",
"emmDeviceId" : "00000000-0000-0000-0000-000000000000",
"enrollmentType" : "User",
"osVersion" : "10.0.00000.0"
}
```
1. UPN requested by the server (legacy format). Review [error handling](#error-handling) for details on how the server can request UPN data if it isn't provided in the initial request.
1. Microsoft Entra joined:
```json
{
"upn" : "johndoe@contoso.com",
"emmDeviceId" : "00000000-0000-0000-0000-000000000000",
"enrollmentType" : "Device",
"osVersion" : "10.0.00000.0"
}
```
1. Microsoft Entra registered:
```json
{
"upn" : "johndoe@contoso.com",
"emmDeviceId" : "00000000-0000-0000-0000-000000000000",
"enrollmentType" : "User",
"osVersion" : "10.0.00000.0"
}
```
### Discovery response
**Headers**
`Content-Type: application/json`
**Body**
1. Microsoft Entra joined (requires `"AuthPolicy": "Federated"`):
```json
{
"EnrollmentServiceUrl" : "https://manage.contoso.com/Enrollment/Discovery",
"EnrollmentPolicyServiceUrl" : "https://manage.contoso.com/Enrollment/GetPolicies",
"AuthenticationServiceUrl" : "https://manage.contoso.com/Enrollment/AuthService",
"AuthPolicy" : "Federated",
"ManagementResource":"https://manage.contoso.com",
"TouUrl" : "https://manage.contoso.com/Enrollment/tou.aspx"
}
```
1. Microsoft Entra registered (requires `"AuthPolicy": "Certificate"`):
```json
{
"EnrollmentServiceUrl" : "https://manage.contoso.com/Enrollment/Discovery",
"EnrollmentPolicyServiceUrl" : "https://manage.contoso.com/Enrollment/GetPolicies",
"AuthenticationServiceUrl" : "https://manage.contoso.com/Enrollment/AuthService",
"AuthPolicy" : "Certificate",
"ManagementResource":"https://manage.contoso.com",
"TouUrl" : "https://manage.contoso.com/Enrollment/tou.aspx"
}
```
### Authentication
WinDC enrollment requires different authentication mechanisms for Microsoft Entra joined and registered devices. The WinDC DS must integrate with the authentication model by specifying the appropriate `AuthPolicy` value in the discovery response, based on the `enrollmentType` property of the request.
- **Microsoft Entra joined devices** use **Federated** authentication (Entra device token).
- **Microsoft Entra registered devices** use **Certificate** authentication (MDM certificate provisioned for the parent enrollment).
#### Rules
- **For Microsoft Entra joined devices**:
- **Discovery request**: `"enrollmentType": "Device"`
- **Discovery response**: `"AuthPolicy": "Federated"`
- **Authentication**: The client uses the Entra device token to authenticate with the WinDC enrollment server.
- **For legacy cases (where `enrollmentType` value is empty)**:
- **Discovery request**: `"enrollmentType": ""`
- **Discovery response**: `"AuthPolicy": "Federated"`
- **Authentication**: The client uses the Entra device token to authenticate with the WinDC enrollment server.
- **For Microsoft Entra registered devices**:
- **Discovery request**: `"enrollmentType": "User"`
- **Discovery response**: `"AuthPolicy": "Certificate"`
- **Authentication**: The client uses the MDM certificate from the parent enrollment to authenticate with the WinDC enrollment server.
## Error handling
- **UPNRequired**: If no UPN value is provided in the discovery request, the DS can set the `errorCode` to **UPNRequired** in the response to trigger the client to retry the request with a UPN value, if available.
- **WINHTTP_QUERY_RETRY_AFTER**: The server can set this flag to configure the client request to retry after a specified delay. This flag is useful for handling timeout or throttling scenarios.

51
windows/client-management/declared-configuration-enrollment.md Normal file
View File

@ -0,0 +1,51 @@
---
title: Windows declared configuration enrollment
description: Learn more about configuring enrollment for Windows declared configuration protocol.
ms.date: 09/12/2024
ms.topic: how-to
---
# Declared configuration enrollment
Windows declared configuration (WinDC) enrollment uses new [DMClient CSP](mdm/dmclient-csp.md) policies to facilitate dual enrollment for Windows devices. This process involves setting specific configuration service provider (CSP) policies and executing SyncML commands to manage the enrollment state.
The key CSP policies used for WinDC enrollment include:
- [LinkedEnrollment/Enroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenroll)
- [LinkedEnrollment/Unenroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentunenroll)
- [LinkedEnrollment/EnrollStatus](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenrollstatus)
- [LinkedEnrollment/LastError](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentlasterror)
- [LinkedEnrollment/DiscoveryEndpoint](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
The following SyncML example sets **LinkedEnrolment/DiscoveryEndpoint** and triggers **LinkedEnrollment/Enroll**:
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/DiscoveryEndpoint</LocURI>
</Target>
<Data>https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/Enroll</LocURI>
</Target>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```

191
windows/client-management/declared-configuration-extensibility.md
View File

@ -1,13 +1,13 @@
---
title: Declared configuration extensibility
description: Learn more about declared configuration extensibility through native WMI providers.
ms.date: 07/08/2024
title: Windows declared configuration extensibility
description: Learn more about Windows declared configuration extensibility through native WMI providers.
ms.date: 09/12/2024
ms.topic: how-to
---
# Declared configuration extensibility providers
# Declared configuration extensibility
The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that implements a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and can implement any number of string properties.
The Windows declared configuration (WinDC) enrollment offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that implements a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and can implement any number of string properties.
> [!NOTE]
> Only string properties are currently supported by extensibility providers.
@ -58,7 +58,7 @@ To create a native WMI provider, follow the steps outlined in [How to implement
5. Copy the generated files into the provider's project folder.
6. Start the development process.
## Example
## Example MI provider
This example provides more details about each step to demonstrate how to implement a sample native resource named `MSFT_FileDirectoryConfiguration`.
@ -235,15 +235,180 @@ The `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` function does the
1. Clean up resources, for example, free allocated memory.
## WinDC document
> [!IMPORTANT]
> The target of the scenario settings can only be device wide for extensibility. The CSP **scope** defined in `<LocURI>` and WinDC **context** must be `Device`.
The value of the `Document` leaf node in the [DeclaredConfiguration CSP](mdm/declaredconfiguration-csp.md) is an XML document that describes the request. Here's a sample WinDC document with the configuration data specified for extensibility.
```xml
<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" osdefinedscenario="MSFTExtensibilityMIProviderConfig">
<DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
<Key name="DestinationPath">c:\data\test\bin\ut_extensibility.tmp</Key>
<Value name="Contents">TestFileContent1</Value>
</DSC>
</DeclaredConfiguration>
```
Only supported values for `osdefinedscenario` can be used. Unsupported values result in an error message similar to `Invalid scenario name`.
| osdefinedscenario | Description |
|--------------------------------------|----------------------------------------------|
| MSFTExtensibilityMIProviderConfig | Used to configure MI provider settings. |
| MSFTExtensibilityMIProviderInventory | Used to retrieve MI provider setting values. |
Both `MSFTExtensibilityMIProviderConfig` and `MSFTExtensibilityMIProviderInventory` scenarios that require the same tags and attributes.
- The `<DSC>` XML tag describes the targeted WMI provider expressed by a namespace and class name along with the values either to be applied to the device or queried by the MI provider.
This tag has the following attributes:
| Attribute | Description |
|--|--|
| `namespace` | Specifies the targeted MI provider namespace. |
| `classname` | The targeted MI provider. |
- The `<Key>` XML tag describes the required parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `<Key>` content.
This tag has the following attributes:
| Attribute | Description |
|--|--|
| `name` | Specifies the name of an MI provider parameter. |
- The `<Value>` XML tag describes the optional parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `<Value>` content.
This tag has the following attributes:
| Attribute | Description |
|--|--|
| `name` | Specifies the name of an MI provider parameter. |
## SyncML examples
The standard OMA-DM SyncML syntax is used to specify the DeclaredConfiguration CSP operations such as **Replace**, **Add**, and **Delete**. The payload of the SyncML's `<Data>` element must be XML-encoded. For this XML encoding, there are various online encoders that you can use. To avoid encoding the payload, you can use [CDATA Section](https://www.w3.org/TR/REC-xml/#sec-cdata-sect) as shown in the following SyncML examples.
### Configuration request
This example demonstrates how to send a configuration request using the `MSFT_FileDirectoryConfiguration` MI provider with the `MSFTExtensibilityMIProviderConfig` scenario.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>14</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
</Target>
<Data><![CDATA[
<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" osdefinedscenario="MSFTExtensibilityMIProviderConfig">
<DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
<Key name="DestinationPath">c:\data\test\bin\ut_extensibility.tmp</Key>
<Value name="Contents">TestFileContent1</Value>
</DSC>
</DeclaredConfiguration>
]]></Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
### Inventory request
This example demonstrates how to send an inventory request using the MSFT_FileDirectoryConfiguration MI provider with the MSFTExtensibilityMIProviderInventory scenario.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>15</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/12345678-1234-1234-1234-123456789012/Document</LocURI>
</Target>
<Data><![CDATA[
<DeclaredConfiguration schema="1.0" context="Device" id="12345678-1234-1234-1234-123456789012" checksum="1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF" osdefinedscenario="MSFTExtensibilityMIProviderInventory">
<DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
<Key name="DestinationPath">c:\data\test\bin\ut_extensibility.tmp</Key>
</DSC>
</DeclaredConfiguration>
]]></Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
### Retrieve results
This example retrieves the results of a configuration or inventory request:
**Request**:
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
**Response**:
```xml
<Status>
<CmdID>2</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Cmd>Get</Cmd>
<Data>200</Data>
</Status>
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
</Source>
<Data>
<DeclaredConfigurationResult context="Device" schema="1.0" id="99988660-9080-3433-96e8-f32e85011999" osdefinedscenario="MSFTPolicies" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" result_checksum="EE4F1636201B0D39F71654427E420E625B9459EED17ACCEEE1AC9B358F4283FD" operation="Set" state="60">
<DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration" status="200" state="60">
<Key name="DestinationPath" />
<Value name="Contents" />
</DSC>
</DeclaredConfigurationResult>
</Data>
</Item>
</Results>
```
## MI implementation references
- [Introducing the management infrastructure (MI) API](/archive/blogs/wmi/introducing-new-management-infrastructure-mi-api)
- [Implementing MI provider (1) - Overview](/archive/blogs/wmi/implementing-mi-provider-1-overview)
- [Implementing MI provider (2) - Define schema](/archive/blogs/wmi/implementing-mi-provider-2-define-schema)
- [Implementing MI provider (3) - Generate code](/archive/blogs/wmi/implementing-mi-provider-3-generate-code)
- [Implementing MI provider (4) - Generate code (continue)](/archive/blogs/wmi/implementing-mi-provider-4-generate-code-continute)
- [Implementing MI provider (5) - Implement](/archive/blogs/wmi/implementing-mi-provider-5-implement)
- [Implementing MI provider (6) - Build, register, and debug](/archive/blogs/wmi/implementing-mi-provider-6-build-register-and-debug)
- [Management infrastructure (MI) API](/archive/blogs/wmi/introducing-new-management-infrastructure-mi-api)
- [MI provider (1) - Overview](/archive/blogs/wmi/implementing-mi-provider-1-overview)
- [MI provider (2) - Define schema](/archive/blogs/wmi/implementing-mi-provider-2-define-schema)
- [MI provider (3) - Generate code](/archive/blogs/wmi/implementing-mi-provider-3-generate-code)
- [MI provider (4) - Generate code (continue)](/archive/blogs/wmi/implementing-mi-provider-4-generate-code-continute)
- [MI provider (5) - Implement](/archive/blogs/wmi/implementing-mi-provider-5-implement)
- [MI provider (6) - Build, register, and debug](/archive/blogs/wmi/implementing-mi-provider-6-build-register-and-debug)
- [MI interfaces](/previous-versions/windows/desktop/wmi_v2/mi-interfaces)
- [MI datatypes](/previous-versions/windows/desktop/wmi_v2/mi-datatypes)
- [MI structures and unions](/previous-versions/windows/desktop/wmi_v2/mi-structures-and-unions)

463
windows/client-management/declared-configuration-resource-access.md Normal file
View File

@ -0,0 +1,463 @@
---
title: Windows declared configuration resource access
description: Learn more about configuring resource access using Windows declared Configuration.
ms.date: 09/12/2024
ms.topic: how-to
---
# Declared configuration resource access
Windows declared configuration (WinDC) resource access is used to manage device configurations and enforce policies to ensure the devices remain in a desired state. It's crucial for maintaining security, compliance, and operational efficiency in organizations. WinDC cloud service is used to send the desired state of a resource to the device where correspondingly the device has the responsibility to enforce and maintain the resource configuration state.
[Configuration Service Providers (CSPs)](mdm/index.yml) play a vital role for configuring Resource access and act as an interface between the device and the WinDC protocol. They provide a consistent and standardized approach to deploying and enforcing configurations. CSPs support various resource access scenarios, including:
- [VPNv2 CSP](mdm/vpnv2-csp.md) and [VPN CSP](mdm/vpn-csp.md)
- [Wi-Fi CSP](mdm/wifi-csp.md)
- [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md)
- [ActiveSync CSP](mdm/activesync-csp.md)
- [WiredNetwork CSP](mdm/wirednetwork-csp.md)
- [RootCACertificates CSP](mdm/rootcacertificates-csp.md)
The WinDC stack on the device processes configuration requests and maintains the desired state, which is key to RA. The efficiency, accuracy, and enforcement of configuration requests are critical for effective RA. Resource access integrates seamlessly with WinDC, providing an extended method for managing devices through the cloud with enhanced scalability and efficiency.
- **Efficiency**: Batch-based processing minimizes server resource usage and reduces latency.
- **Accuracy**: WinDC client stack understands the device's configuration surface area, enabling effective handling of continuous updates. It ensures precise execution of configuration changes communicated by the cloud service.
- **Policy Enforcement**: Apply and maintain organizational policies across devices consistently and at scale, ensuring compliance and uniform configuration. This aspect allows organizations to maintain the desired security posture across devices.
## Resource access guidelines
These guidelines provide best practices and examples for developers and testers to implement resource access (RA) configurations in a secure, efficient, and consistent manner. They aim to enhance network security and optimize resource access for end users while adhering to policies and compliance requirements.
- **Configuration Integrity**: To support uninterrupted and secure resource access, ensure consistent configurations across devices and users.
- **State Validation**: Monitor the state of configurations to verify the correct application of resource access settings.
- **Profile Management**: Effectively manage user profiles by adding, updating, and deleting as needed, to control access to resources and maintain security.
- **Log and Audit**: Utilize logs and audit trails for operations and changes to aid in troubleshooting and compliance.
- **Drift Detection and Remediation**: To maintain compliance with RA policies, continuously monitor drift (changes in configuration or behavior) and take corrective action.
- **Security and Privacy**: To protect user data and resources, implement strong security and privacy measures in configurations.
By following these guidelines and understanding the syntax of the [DeclaredConfiguration CSP](mdm/declaredconfiguration-csp.md), you can effectively implement and manage RA configurations while maintaining security and compliance.
## WinDC document
The value of the `Document` leaf node in the [DeclaredConfiguration CSP](mdm/declaredconfiguration-csp.md) is an XML document that describes the request. Here's a sample WinDC document with the configuration data specified for resource access.
```xml
<DeclaredConfiguration context="user" schema="1.0" id="DCA000B5-397D-40A1-AABF-40B25078A7F9" osdefinedscenario="MSFTVPN" checksum="A0">
<CSP name="./Vendor/MSFT/VPNv2">
<URI path="Test_SonicWall/TrafficFilterList/0/Protocol" type="int">2</URI>
<URI path="Test_SonicWall/TrafficFilterList/0/Direction" type="chr">outbound</URI>
</CSP>
</DeclaredConfiguration>
```
Only supported values for `osdefinedscenario` can be used. Unsupported values result in an error message similar to `Invalid scenario name`.
| osdefinedscenario | Recommended using with |
|------------------------------|-------------------------------|
| MSFTWiredNetwork | WiredNetwork |
| MSFTResource | ActiveSync |
| MSFTVPN | VPN and VPNv2 |
| MSFTWifi | Wifi |
| MSFTInventory | Certificate inventory |
| MSFTClientCertificateInstall | SCEP, PFX, Bulk Template Data |
These `osdefinedscenario` values require the following tags and attributes.
- The `<CSP>` XML tag describes the CSP being targeted.
This tag has the following attributes:
| Attribute | Description |
|--|--|
| `name` | Specifies the targeted CSP OMA-URI. |
- The `<URI>` XML tag specifies the CSP setting node along with the desired value.
This tag has the following attributes:
| Attribute | Description |
|-----------|-------------------|
| `path` | Setting path |
| `type` | Setting data type |
> [!NOTE]
> The target of the scenario settings must match the WinDC context. The CSP **scope** defined in `<LocURI>` and WinDC **context** must both be either `Device` or `User`.
>
> :::image type="content" source="images/declared-configuration-ra-syntax.png" alt-text="WinDC resource access syntax":::
### osdefinedscenario examples
- Partial `MSFTWifi` example for Wifi:
```xml
<DeclaredConfiguration context="Device" schema="1.0" id="10249228-e719-58bf-b459-060de45240f1" osdefinedscenario="MSFTWifi" checksum="11111111">
<CSP name="./Vendor/MSFT/WiFi">
```
- Partial `MSFTResource` example for ActiveSync:
```xml
<DeclaredConfiguration context="User" schema="1.0" id="33333333-1861-4131-96e8-44444444" osdefinedscenario="MSFTResource" checksum="5555">
<CSP name="./Vendor/MSFT/ActiveSync">
```
## SyncML examples
The standard OMA-DM SyncML syntax is used to specify the DeclaredConfiguration CSP operations such as **Replace**, **Add**, and **Delete**. The payload of the SyncML's `<Data>` element must be XML-encoded. For this XML encoding, there are various online encoders that you can use. To avoid encoding the payload, you can use [CDATA Section](https://www.w3.org/TR/REC-xml/#sec-cdata-sect) as shown in the following SyncML examples.
### Configure a VPNv2 profile for resource access
This example demonstrates how to use the [VPNv2 CSP](mdm/vpnv2-csp.md) to configure a VPN profile named **Test_SonicWall** on the device in the **User** scope.
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./User/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/DCA000B5-397D-40A1-AABF-40B25078A7F9/Document</LocURI>
</Target>
<Data><![CDATA[<?xml version="1.0" encoding="utf-8"?>
<DeclaredConfiguration context="user" schema="1.0" id="DCA000B5-397D-40A1-AABF-40B25078A7F9" osdefinedscenario="MSFTVPN" checksum="A0">
<CSP name="./Vendor/MSFT/VPNv2">
<URI path="Test_SonicWall/TrafficFilterList/0/Protocol" type="int">2</URI>
<URI path="Test_SonicWall/TrafficFilterList/0/Direction" type="chr">outbound</URI>
<URI path="Test_SonicWall/TrafficFilterList/1/Protocol" type="int">6</URI>
<URI path="Test_SonicWall/TrafficFilterList/1/LocalPortRanges" type="chr">43-54</URI>
<URI path="Test_SonicWall/TrafficFilterList/1/RemotePortRanges" type="chr">243-456</URI>
<URI path="Test_SonicWall/TrafficFilterList/1/Direction" type="chr">outbound</URI>
<URI path="Test_SonicWall/EdpModeId" type="chr">wip.contoso.com</URI>
<URI path="Test_SonicWall/RememberCredentials" type="bool">true</URI>
<URI path="Test_SonicWall/AlwaysOn" type="bool">true</URI>
<URI path="Test_SonicWall/Proxy/AutoConfigUrl" type="chr">https://auto.proxy.com</URI>
<URI path="Test_SonicWall/DeviceCompliance/Enabled" type="bool">true</URI>
<URI path="Test_SonicWall/DeviceCompliance/Sso/Enabled" type="bool">false</URI>
<URI path="Test_SonicWall/PluginProfile/ServerUrlList" type="chr">23.54.3.6;server1,vpn.contoso.com;server2</URI>
<URI path="Test_SonicWall/PluginProfile/CustomConfiguration" type="chr">&lt;custom&gt;&lt;/custom&gt;</URI>
<URI path="Test_SonicWall/PluginProfile/PluginPackageFamilyName" type="chr">SonicWALL.MobileConnect_e5kpm93dbe93j</URI>
</CSP>
</DeclaredConfiguration>
]]></Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
<!--
> [!NOTE]
>
> - Format of the `<LocURI>` and `<DeclaredConfiguration>` follow the [DeclaredConfiguration CSP](mdm/declaredconfiguration-csp.md) syntax.
> - The `id` of `<DeclaredConfiguration>` should be a unique string.
> - `<Format>` of `<Meta>` should be `chr` and `<Type>` should be `text/plain`.
-->
### Updating a VPNv2 profile for resource access
This example demonstrates how to use the same WinDC **Document ID**, but with a new checksum("A3"). It installs a new VPNv2 profile named `Test_SonicwallNew`, and deletes the old profile.
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./User/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/DCA000B5-397D-40A1-AABF-40B25078A7F9/Document</LocURI>
</Target>
<Data><![CDATA[<?xml version="1.0" encoding="utf-8"?>
<DeclaredConfiguration context="user" schema="1.0" id="DCA000B5-397D-40A1-AABF-40B25078A7F9" osdefinedscenario="MSFTVPN" checksum="A3">
<CSP name="./Vendor/MSFT/VPNv2">
<URI path="Test_SonicWallNew/TrafficFilterList/0/Protocol" type="int">2</URI>
<URI path="Test_SonicWallNew/TrafficFilterList/0/Direction" type="chr">outbound</URI>
<URI path="Test_SonicWallNew/EdpModeId" type="chr">wip.contoso.com</URI>
<URI path="Test_SonicWallNew/RememberCredentials" type="bool">true</URI>
<URI path="Test_SonicWallNew/AlwaysOn" type="bool">false</URI>
<URI path="Test_SonicWallNew/Proxy/AutoConfigUrl" type="chr">https://auto.proxy.com</URI>
<URI path="Test_SonicWallNew/DeviceCompliance/Enabled" type="bool">true</URI>
<URI path="Test_SonicWallNew/DeviceCompliance/Sso/Enabled" type="bool">false</URI>
<URI path="Test_SonicWallNew/PluginProfile/ServerUrlList" type="chr">23.54.3.8;server1,vpn2.contoso.com;server2</URI>
<URI path="Test_SonicWallNew/PluginProfile/PluginPackageFamilyName" type="chr">SonicWALL.MobileConnect_e5kpm93dbe93j</URI>
</CSP>
</DeclaredConfiguration>
]]></Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
### Getting the VPNv2 profile
This example demonstrates how to use `<Get>` to retrieve the results of the WinDC request.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./User/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/DCA000B5-397D-40A1-AABF-40B25078A7F9/Document</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
**Response**:
```xml
<SyncML xmlns:msft="http://schemas.microsoft.com/MobileDevice/MDM">
<SyncHdr />
<SyncBody>
<Status>
<CmdID>1</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>0</CmdRef>
<Cmd>SyncHdr</Cmd>
<Data>200</Data>
</Status>
<Status>
<CmdID>2</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Cmd>Get</Cmd>
<Data>200</Data>
</Status>
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>./User/Vendor/MSFT/DeclaredConfiguration/Host/BulkTemplate/Results/DCA000B5-397D-40A1-AABF-40B25078A7F9/Document</LocURI>
</Source>
<Data>&lt;DeclaredConfigurationResult context="user" schema="1.0" id="DCA000B5-397D-40A1-AABF-40B25078A7F9" osdefinedscenario="MSFTVPN" checksum="A3" result_checksum="9D2ED497C12D2FCEE1C45158D1F7ED8E2DACE210A0B8197A305417882991C978" result_timestamp="2024-08-06T13:54:38Z" operation="Set" state="60"&gt;&lt;CSP name="./Vendor/MSFT/VPNv2" state="60"&gt;&lt;URI path="Test_SonicWallNew/TrafficFilterList/0/Protocol" status="200" state="60" type="int" /&gt;&lt;URI path="Test_SonicWallNew/TrafficFilterList/0/Direction" status="200" state="60" type="chr" /&gt;&lt;URI path="Test_SonicWallNew/EdpModeId" status="200" state="60" type="chr" /&gt;&lt;URI path="Test_SonicWallNew/RememberCredentials" status="200" state="60" type="bool" /&gt;&lt;URI path="Test_SonicWallNew/AlwaysOn" status="200" state="60" type="bool" /&gt;&lt;URI path="Test_SonicWallNew/Proxy/AutoConfigUrl" status="200" state="60" type="chr" /&gt;&lt;URI path="Test_SonicWallNew/DeviceCompliance/Enabled" status="200" state="60" type="bool" /&gt;&lt;URI path="Test_SonicWallNew/DeviceCompliance/Sso/Enabled" status="200" state="60" type="bool" /&gt;&lt;URI path="Test_SonicWallNew/PluginProfile/ServerUrlList" status="200" state="60" type="chr" /&gt;&lt;URI path="Test_SonicWallNew/PluginProfile/PluginPackageFamilyName" status="200" state="60" type="chr" /&gt;&lt;/CSP&gt;&lt;/DeclaredConfigurationResult&gt;</Data>
</Item>
</Results>
<Final />
</SyncBody>
</SyncML>
```
> [!TIP]
> To understand the state values, see [WinDC states](mdm/declaredconfiguration-csp.md#windc-states).
### Deleting the VPNv2 profile
This example demonstrates how to use `<Delete>` to remove the configuration request to set the VPNv2 profile.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./User/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/DCA000B5-397D-40A1-AABF-40B25078A7F9/Document</LocURI>
</Target>
</Item>
</Delete>
<Final />
</SyncBody>
</SyncML>
```
## Resource ownership
MDM-managed resources, such as a VPN profile, are transferred/migrated to WinDC management when a WinDC document is sent to the device for the same resource. This resource stays under WinDC management until the WinDC document is [deleted](mdm/declaredconfiguration-csp.md#delete-a-windc-document) or [abandoned](mdm/declaredconfiguration-csp.md#abandon-a-windc-document). Otherwise, when MDM tries to manage the same resource via the legacy MDM channel using SyncML, it fails with error 0x86000031.
`MDM ConfigurationManager: Command failure status. Configuraton Source ID: (29c383c5-6e2d-43bf-a741-c63cb7516bb4), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (ActiveSync), Command Type: (Add: from Replace or Add), CSP URI: (./User/Vendor/MSFT/ActiveSync/Accounts/{3b8b9d4d-a24e-4c6d-a460-034d0bfb9316}), Result: (Unknown Win32 Error code: 0x86000031).`
## Bulk template data
The Bulk template data scenario extends beyond the regular [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md). It uses a special bulk template document type. This section covers the structure, specification, and results of using the bulk template data.
### Template document
A PFXImport template document contains the structure necessary for importing certificates in bulk. The document should define the necessary fields, and the format required for the bulk import.
- The document type must be `BulkTemplate`.
- The URI path is different than the regular URIs by using the `@#pfxThumbprint#` syntax, it declares that it's a dynamic node. [Instance data](#template-data) for dynamic nodes is sent later using `BulkVariables`. Each dynamic node might contain dynamic subnodes, such as the `@#pfxBlob#` and `#@pfxPassword#` nodes in this example.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/BulkTemplate/Documents/47e88660-1861-4131-96e8-f32e85011e55/Document</LocURI>
</Target>
<Data><![CDATA[<?xml version="1.0" encoding="utf-8"?>
<DeclaredConfiguration context="Device" schema="1.0" id="47e88660-1861-4131-96e8-f32e85011e55" osdefinedscenario="MSFTResource" checksum="FF356C2C71F6A41F9AB4A601AD00C8B5BC7531576233010B13A221A9FE1BE7A0">
<ReflectedProperties>
<Property name="foo" type="chr">foovalue</Property>
<Property name="bar" type="chr">barvalue</Property>
</ReflectedProperties>
<CSP name="./Vendor/MSFT/ClientCertificateInstall">
<URI path="PFXCertInstall/@#pfxThumbprint#/KeyLocation" type="Int">2</URI>
<URI path="PFXCertInstall/@#pfxThumbprint#/PFXCertBlob" type="chr">@#pfxBlob#</URI>
<URI path="PFXCertInstall/@#pfxThumbprint#/PFXCertPassword" type="chr">@#pfxPassword#</URI>
<URI path="PFXCertInstall/@#pfxThumbprint#/PFXKeyExportable" type="bool">True</URI>
<URI path="PFXCertInstall/@#pfxThumbprint#/PfxCertPasswordEncryptionType" type="int">0</URI>
<URI path="PFXCertInstall/@#pfxThumbprint#/PfxCertPasswordEncryptionStore" type="chr">SomeValue</URI>
<URI path="PFXCertInstall/@#pfxThumbprint#/ContainerName" type="chr"></URI>
</CSP>
</DeclaredConfiguration>
]]></Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
### Template data
The bulk template data specifies the certificates to be imported in a base64 encoded format using the `BulkVariables` URI under the `BulkTemplate`. The template data document can contain multiple instances. Each instance must specify all the subinstance data.
In this example, there are two instances. Each instance defines values for **pfxThumbprint**, a **pfxBlob, and a **pfxPassword**.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/BulkTemplate/Documents/47e88660-1861-4131-96e8-f32e85011e55/BulkVariables/Value</LocURI>
</Target>
<Data><![CDATA[
<InstanceBlob schema="1.0">
<Instance>
<InstanceData variable="pfxThumbprint">813A171D7341E1DA90D4A01878DD5328D3519006</InstanceData>
<InstanceData variable="pfxBlob">pfxbase64BlobValue1</InstanceData>
<InstanceData variable="pfxPassword">Password1</InstanceData>
</Instance>
<Instance>
<InstanceData variable="pfxThumbprint">813A171D7341E1DA90D4A01878DD5328D3519007</InstanceData>
<InstanceData variable="pfxBlob">pfxbase64BlobValue2</InstanceData>
<InstanceData variable="pfxPassword">Password2</InstanceData>
</Instance>
</InstanceBlob>
]]></Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
### Template results
When the bulk template data document is successfully processed, the specified certificates are imported into the defined stores with the provided passwords and key locations.
- Successful Import: The certificates are correctly imported into the device's certificate stores.
- Error Handling: Any errors encountered during the import process include relevant status codes or messages for troubleshooting.
**Request**:
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/BulkTemplate/Results/47e88660-1861-4131-96e8-f32e85011e55/Document</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
**Response**:
```xml
<SyncML xmlns:msft="http://schemas.microsoft.com/MobileDevice/MDM">
<SyncHdr />
<SyncBody>
<Status>
<CmdID>1</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>0</CmdRef>
<Cmd>SyncHdr</Cmd>
<Data>200</Data>
</Status>
<Status>
<CmdID>2</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Cmd>Get</Cmd>
<Data>200</Data>
</Status>
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/BulkTemplate/Results/47e88660-1861-4131-96e8-f32e85011e55/Document</LocURI>
</Source>
<Data>&lt;DeclaredConfigurationResult context="Device" schema="1.0" id="47e88660-1861-4131-96e8-f32e85011e55" osdefinedscenario="MSFTResource" checksum="FF356C2C71F6A41F9AB4A601AD00C8B5BC7531576233010B13A221A9FE1BE7A0" result_checksum="DD8C1C422D50A410C2949BA5F495C2C42CC4B0C7B498D1B43318C503F6CEF491" result_timestamp="2024-08-06T13:26:23Z" operation="Set" state="60"&gt;
&lt;CSP name="./Vendor/MSFT/ClientCertificateInstall" state="60"&gt;
&lt;URI path="PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D3519006/KeyLocation" status="200" state="60" type="int" /&gt;
&lt;URI path="PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D3519006/PFXCertBlob" status="200" state="60" type="chr" /&gt;
&lt;URI path="PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D3519006/PFXCertPassword" status="200" state="60" type="chr" /&gt;
&lt;URI path="PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D3519006/PFXKeyExportable" status="200" state="60" type="bool" /&gt;
&lt;/CSP&gt;&lt;CSP name="./Vendor/MSFT/ClientCertificateInstall" state="60"&gt;
&lt;URI path="PFXCertInstall/CertPFX1/KeyLocation" status="200" state="60" type="int" /&gt;
&lt;URI path="PFXCertInstall/CertPFX1/PFXCertBlob" status="200" state="60" type="chr" /&gt;
&lt;URI path="PFXCertInstall/CertPFX1/PFXCertPassword" status="200" state="60" type="chr" /&gt;
&lt;URI path="PFXCertInstall/CertPFX1/PFXKeyExportable" status="200" state="60" type="bool" /&gt;
&lt;/CSP&gt;
&lt;/DeclaredConfigurationResult&gt;
</Data>
</Item>
</Results>
<Final />
</SyncBody>
</SyncML>
```

159
windows/client-management/declared-configuration.md
View File

@ -1,65 +1,132 @@
---
title: Declared configuration protocol
description: Learn more about using declared configuration protocol for desired state management of Windows devices.
ms.date: 07/08/2024
title: Windows declared configuration protocol
description: Learn more about using Windows declared configuration (WinDC) protocol for desired state management of Windows devices.
ms.date: 09/12/2024
ms.topic: overview
---
# What is the declared configuration protocol
# Windows declared configuration protocol overview
The declared configuration protocol is based on a desired state device configuration model, though it still uses the underlying OMA-DM Syncml protocol. Through a dedicated OMA-DM server, it provides all the settings in a single batch through this protocol. The device's declared configuration client stack can reason over the settings to achieve the desired scenario in the most efficient and reliable manner.
The Windows declared configuration (WinDC) protocol is a desired state device configuration model designed for efficient and reliable management of Windows devices. It uses the OMA-DM SyncML protocol to provide all necessary settings in a single batch through a dedicated OMA-DM server. The WinDC client stack on the device processes these settings to achieve the desired state in the most efficient and reliable manner.
The declared configuration protocol requires that a device has a separate [OMA-DM enrollment](mdm-overview.md), which is dependent on the device being enrolled with the primary OMA-DM server. The desired state model is a different model from the current model where the server is responsible for the device's desire state. This dual enrollment is only allowed if the device is already enrolled into a primary MDM server. This other enrollment separates the desired state management functionality from the primary functionality. The declared configuration enrollment's first desired state management model feature is called [extensibility](declared-configuration-extensibility.md).
WinDC protocol requires that a device has a separate [OMA-DM enrollment](mdm-overview.md), which is dependent on the device being enrolled with the primary OMA-DM server. The desired state model is a different model from the current model where the server is responsible for the device's desire state. This dual enrollment is only allowed if the device is already enrolled into a primary mobile device management (MDM) server. This other enrollment separates the desired state management functionality from the primary functionality.
:::image type="content" source="images/declared-configuration-model.png" alt-text="Diagram illustrating the declared configuration model.":::
WinDC enrollment involves two phases:
With the [Declared Configuration CSP](mdm/declaredconfiguration-csp.md), the OMA-DM server can provide the device with the complete collection of setting names and associated values based on a specified scenario. The declared configuration stack on the device is responsible for handling the configuration request, and maintaining its state including updates to the scenario.
- [Declared configuration discovery](declared-configuration-discovery.md): The initial discovery phase of the WinDC protocol uses a dedicated JSON schema to query enrollment details from the [discovery service endpoint (DS)](/openspecs/windows_protocols/ms-mde2/60deaa44-52df-4a47-a844-f5b42037f7d3#gt_8d76dac8-122a-452b-8c97-b25af916f19b). This phase involves sending HTTP requests with specific headers and a JSON body containing details such as user domain, tenant ID, and OS version. The DS responds with the necessary enrollment service URLs and authentication policies based on the enrollment type (Microsoft Entra joined or registered devices).
- [Declared configuration enrollment](declared-configuration-enrollment.md): The enrollment phase uses the [MS-MDE2 protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) and new [DMClient CSP](mdm/dmclient-csp.md) policies for dual enrollment. This phase involves setting the `LinkedEnrollment/DiscoveryEndpoint` and triggering the `LinkedEnrollment/Enroll` using SyncML commands. The device can then manage its configuration state by interacting with the OMA-DM server through these policies.
The benefit of the declared configuration desired state model is that it's efficient and accurate, especially since it's the responsibility of the declared configuration client to configure the device. The efficiency of declared configuration is because the client can asynchronously process batches of scenario settings, which free up the server resources to do other work. Thus the declared configuration protocol has low latency. As for configuration quality and accuracy, the declared configuration client stack has detailed knowledge of the configuration surface area of the device. This behavior includes the proper handling of continuous device updates that affect the configuration scenario.
WinDC enrollment offers these desired state management features:
## Declared configuration enrollment
- [Resource access](declared-configuration-resource-access.md): Provides access to necessary resources for configuration.
- [Extensibility](declared-configuration-extensibility.md): Allows for extending the configuration capabilities as needed.
[Mobile Device Enrollment Protocol version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) describes enrollment including discovery, which covers the primary and declared configuration enrollments. The device uses the following new [DMClient CSP](mdm/dmclient-csp.md) policies for declared configuration dual enrollment:
:::image type="content" source="images/declared-configuration-model.png" alt-text="Diagram illustrating the WinDC model.":::
- [LinkedEnrollment/Enroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenroll)
- [LinkedEnrollment/Unenroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentunenroll)
- [LinkedEnrollment/EnrollStatus](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenrollstatus)
- [LinkedEnrollment/LastError](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentlasterror)
- [LinkedEnrollment/DiscoveryEndpoint](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
After a device is enrolled, the OMA-DM server can send a complete collection of setting names and values for a specified scenario using the [DeclaredConfiguration CSP](mdm/declaredconfiguration-csp.md). The WinDC stack on the device is responsible for handling the configuration request, and maintaining its state including updates to the scenario.
The following SyncML example sets **LinkedEnrolment/DiscoveryEndpoint** and triggers **LinkedEnrollment/Enroll**:
The benefit of the WinDC desired state model is that it's efficient and accurate, especially since it's the responsibility of the WinDC client stack to configure the device. The efficiency of WinDC is because the client can asynchronously process batches of scenario settings, which free up the server resources to do other work. Thus the WinDC protocol has low latency. As for configuration quality and accuracy, the WinDC client stack has detailed knowledge of the configuration surface area of the device. This behavior includes the proper handling of continuous device updates that affect the configuration scenario.
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
## Supported platforms
WinDC enrollment for [Microsoft Entra joined devices](/entra/identity/devices/concept-directory-join) is supported for all versions of Windows 10/11.
WinDC enrollment for [Microsoft Entra registered devices](/entra/identity/devices/concept-device-registration) is supported for Windows 10/11 with the following updates:
- Windows 11, version 24H2 with [KB5040529](https://support.microsoft.com/help/5040529) (OS Build 26100.1301)
- Windows 11, version 23H2 with [KB5040527](https://support.microsoft.com/help/5040527) (OS Build 22631.3958)
- Windows 11, version 22H2 with [KB5040527](https://support.microsoft.com/help/5040527) (OS Build 22621.3958)
- Windows 10, version 22H2 with [KB5040525](https://support.microsoft.com/help/5040525) (OS Build 19045.4717)
## Refresh interval
The WinDC refresh schedule is created whenever there's a WinDC document present on the device and there's currently no schedule task for refresh. The task runs every 4 hours by default and can be configured. Each time the WinDC refresh task runs, it checks for all drifts from desired state by comparing the current system configuration versus the server intention in the WinDC documents. If there are any drifts, WinDC engine tries to reapply the WinDC documents to fix it. In case where a WinDC document can't be reapplied due to instance data missing, the WinDC document is marked in drifted state and a new sync session is triggered to notify there's a drift.
To identify, adjust or remove the refresh schedule, use the **RefreshInterval** URI:
- Identify current schedule:
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/ManagementServiceConfiguration/RefreshInterval</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
- Adjust current schedule:
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/DiscoveryEndpoint</LocURI>
</Target>
<Data>https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0</Data>
</Item>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/ManagementServiceConfiguration/RefreshInterval</LocURI>
</Target>
<Data>30</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<Final />
</SyncBody>
</SyncML>
```
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/Enroll</LocURI>
</Target>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
- Delete the current schedule and use system default:
## Related content
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/ManagementServiceConfiguration/RefreshInterval</LocURI>
</Target>
</Item>
</Delete>
<Final />
</SyncBody>
</SyncML>
```
- [Declared Configuration extensibility](declared-configuration-extensibility.md)
## Troubleshooting
If the processing of declared configuration document fails, the errors are logged to Windows event logs:
- Admin events: `Application and Service Logs\Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider\Admin`.
- Operational events: `Application and Service Logs\Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider\Operational`.
### Common errors
- If the `<LocURI>` uses **Device** scope, while DeclaredConfiguration document specifies **User** context, Admin event log shows an error message similar to:
`MDM ConfigurationManager: Command failure status. Configuration Source ID: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Enrollment Name: (MicrosoftManagementPlatformCloud), Provider Name: (DeclaredConfiguration), Command Type: (SetValue: from Replace), CSP URI: (./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/DCA000B5-397D-40A1-AABF-40B25078A7F9/Document), Result: (The system cannot find the file specified.)`
- If the Document ID doesn't match between the `<LocURI>` and inside DeclaredConfiguration document, Admin event log shows an error message similar to:
`MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-3436249567-4017981746-3373817415-1001), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
- Any typo in the OMA-URI results in a failure. In this example, `TrafficFilterList` is specified instead of `TrafficFilterLists`, and Admin event log shows an error message similar to:
`MDM ConfigurationManager: Command failure status. Configuraton Source ID: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Enrollment Type: (MicrosoftManagementPlatformCloud), CSP Name: (vpnv2), Command Type: (Add: from Replace or Add), CSP URI: (./user/vendor/msft/vpnv2/Test_SonicWall/TrafficFilterLists), Result: (Unknown Win32 Error code: 0x86000002).`
There's also another warning message in operational channel:
`MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007)`

6
windows/client-management/enterprise-app-management.md
View File

@ -15,7 +15,6 @@ By using Windows MDM to manage app lifecycles, administrators can deploy and man
Windows offers the ability for management servers to:
- Install apps directly from the Microsoft Store for Business
- Deploy offline Store apps and licenses
- Deploy line-of-business (LOB) apps (non-Store apps)
- Inventory all apps for a user (Store and non-Store apps)
@ -28,7 +27,7 @@ Windows offers the ability for management servers to:
Windows lets you inventory all apps deployed to a user, and inventory all apps for all users of a Windows device. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- **Store**: Apps that have been acquired from the Microsoft Store, either directly or delivered with the enterprise from the Store for Business.
- **Store**: Apps that have been acquired from the Microsoft Store.
- **nonStore**: Apps that weren't acquired from the Microsoft Store.
- **System**: Apps that are part of the operating system and can't be uninstalled. This classification is read-only and can only be inventoried.
@ -198,6 +197,9 @@ To deploy an app to a user directly from the Microsoft Store, the management ser
If you purchased an app from the Store for Business and the app is specified for an online license, then the app and license must be acquired directly from the Microsoft Store.
> [!NOTE]
> The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
Here are the requirements for this scenario:
- The app is assigned to a user Microsoft Entra identity in the Store for Business. You can assign directly in the Store for Business or through a management server.

BIN
windows/client-management/images/declared-configuration-ra-syntax.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

264
windows/client-management/manage-windows-copilot.md
View File

@ -1,9 +1,9 @@
---
title: Manage Copilot in Windows
description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
ms.topic: how-to
title: Updated Windows and Microsoft Copilot experience
description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
ms.topic: overview
ms.subservice: windows-copilot
ms.date: 06/13/2024
ms.date: 09/18/2024
ms.author: mstewart
author: mestew
ms.collection:
@ -13,226 +13,66 @@ appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>
---
# Manage Copilot in Windows
<!--8445848-->
# Updated Windows and Microsoft Copilot experience
<!--8445848, 9294806-->
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft Copilot experiences?** See [Understanding the different Microsoft Copilot experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842).
> [!Note]
> - This article and the [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-copilot-in-windows-for-your-workforce/ba-p/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices. <!--9048085-->
## Enhanced data protection with enterprise data protection
Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop and is designed to help users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/copilot/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it's possible for users to copy and paste sensitive information into the chat.
The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft Copilot will offer enterprise data protection](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) at no additional cost and redirect users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Copilot for Microsoft 365 and Microsoft Copilot. This means that security, privacy, compliance controls and commitments available for Copilot for Microsoft 365 will extend to Microsoft Copilot prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers - not only for Copilot for Microsoft 365, but also for emails in Exchange and files in SharePoint. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft Copilot updates and enterprise data protection FAQ](/copilot/edpfaq).
> [!IMPORTANT]
> To streamline the user experience, updates to the Copilot entry points in Windows are being made for users. **Copilot in Windows (preview) will be removed from Windows**. The experience will slightly vary depending on whether your organization has already opted into using Copilot in Windows (preview) or not.
## Copilot in Windows (preview) isn't enabled
If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither the Microsoft Copilot app nor the Microsoft 365 app are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
> [!NOTE]
> Although we won't be pinning any app to the taskbar by default, IT has the capability to use policies to enforce their preferred app pinning.
## Copilot in Windows (preview) is enabled
If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your employees moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 app to the taskbar in Windows. Rather, we'll ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
## Users signing in to new PCs with Microsoft Entra accounts
For users signing in to new PCs with work or school accounts, the following experience occurs:
- The Microsoft 365 app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc.
- Users that have the Microsoft 365 Copilot license will have Microsoft Copilot pinned by default inside the Microsoft 365 app.
- Within the Microsoft 365 app, the Microsoft Copilot icon is situated next to the home button.
- Microsoft Copilot (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license.
- Microsoft Copilot is available at no additional cost to customers with a Microsoft Entra account. Microsoft Copilot is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat.
- For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft Copilot and the work scoped chat capabilities of Microsoft 365 Copilot.
- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft Copilot to ensure they have easy access to Copilot. To set the default behavior, admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
- If admins elect not to pin Copilot and indicate that users may be asked, users will be asked to pin it themselves in the Microsoft 365 app, Outlook, and Teams.
- If admins elect not to pin Microsoft Copilot and indicate that users may not be asked, Microsoft Copilot won't be available via the Microsoft 365 app, Outlook, or Teams. Users will have access to Microsoft Copilot from <www.microsoft.com/copilot> unless that URL is blocked by the IT admin.
- If the admins make no selection, users will be asked to pin Microsoft Copilot by themselves for easy access.
## Configure Copilot in Windows for commercial environments
## When will this happen?
At a high level, managing and configuring Copilot in Windows for your organization involves the following steps:
The update to Microsoft Copilot to offer enterprise data protection is rolling out now.
> [!Note]
> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback.
> - Copilot in Windows (in preview) is available in select global markets and will be rolled out to additional markets over time. [Learn more](https://www.microsoft.com/windows/copilot-ai-features#faq). <!--8737645-->
The shift to the Microsoft 365 app as the entry point for Microsoft Copilot is coming soon. Changes will be rolled out to managed PCs starting with the optional nonsecurity preview release on September 24, 2024, and following with the monthly security update release on October 8 for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows)
1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows
1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled
1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider
> [!IMPORTANT]
> Want to get started? You can enable the Microsoft Copilot experience for your users now by using the [TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) policy and pin the Microsoft 365 app using the existing policies for taskbar pinning.
## Policy information
Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft Copilot within the Microsoft 365 app in the Microsoft 365 admin center.
The following policy to manage Copilot in Windows (preview) will be removed in the future:
Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
## Chat provider platforms for Copilot in Windows
Copilot in Windows can use either Microsoft Copilot, Copilot with commercial data protection, or Copilot with Graph-grounded chat as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections.
### Copilot
Copilot is a consumer experience and has a daily limit on the number of chat queries per user when not signed in with a Microsoft account. It doesn't offer the same data protection as Copilot with commercial data protection.
- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a)
- The privacy statement for using Copilot follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section.
> [!Note]
> Copilot doesn't have access to Microsoft 365 Apps data, such as email, calendar, or files using Microsoft Graph, unlike [Microsoft Copilot with Graph-grounded chat](#microsoft-copilot-with-graph-grounded-chat).
### Copilot with commercial data protection
[Copilot with commercial data protection](/copilot/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Copilot with commercial data protection:
- User and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models (LLMs). Because of this protection, chat history, 3rd-party plugins, and the Bing app for iOS or Android aren't currently supported. Copilot with commercial data protection is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Copilot with commercial data protection [privacy statement](/copilot/privacy-and-protections).
- Copilot with commercial data protection is available, at no additional cost, for the following licenses:
- Microsoft 365 E3 or E5
- Microsoft 365 F3 <!--8681080, 8681034-->
- Microsoft 365 A1, A3, or A5 <!--8681034-->
- Copilot with commercial data protection is limited to faculty and higher education students over 18 years of age
- Office 365 A1, A3, or A5 <!--8681034-->
- Copilot with commercial data protection is limited to faculty and higher education students over 18 years of age
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
> [!Note]
> Copilot with commercial data protection doesn't have access to Microsoft 365 Apps data, such as email, calendar, or files using Microsoft Graph, unlike [Microsoft Copilot with Graph-grounded chat](#microsoft-copilot-with-graph-grounded-chat).
### Microsoft Copilot with Graph-grounded chat
<!---8639813-->
Copilot with Graph-grounded chat enables you to use your work content and context in Copilot for Windows. With Graph-grounded chat, you can draft content and get answers to questions, all securely grounded in your Microsoft Graph data such as user documents, emails, calendar, chats, meetings, and contacts. When you use the **Work** toggle in Copilot in Windows to query Graph-grounded chat, the following high-level privacy and security protections apply:
- Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundational LLMs.
- It only surfaces organizational data to which individual users have at least view permissions.
- The information contained within your prompts, the data retrieved, and the generated responses remain within your tenant's service boundary. For more information about privacy and security for Graph-grounded chat, see [Data, Privacy, and Security for Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-privacy)
- Copilot with Graph-grounded chat is part of Copilot for Microsoft 365. Copilot for Microsoft 365 is an add-on plan. For more information about prerequisites and license requirements, see [Microsoft Copilot for Microsoft 365 requirements](/microsoft-365-copilot/microsoft-365-copilot-requirements#license-requirements).
## Configure the chat provider platform that Copilot in Windows uses
Configuring the correct chat provider platform for Copilot in Windows is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections. Once you select the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses.
### Microsoft Copilot as the chat provider platform
Copilot is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur:
- Commercial data protection isn't configured for the user.
- Commercial data protection is [turned off](/copilot/manage).
- The user isn't assigned a license that includes Copilot with commercial data protection.
- The user isn't signed in with a Microsoft Entra account that's licensed for Copilot with commercial data protection.
### Copilot with commercial data protection as the chat provider platform (recommended for commercial environments)
To verify that Copilot with commercial data protection is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions:
1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/).
1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes **Copilot**. Copilot with commercial data protection is included and enabled by default for users that are assigned one of the following licenses:
- Microsoft 365 E3 or E5
- Microsoft 365 F3 <!--8681080, 8681034-->
- Microsoft 365 A1, A3, or A5
- Copilot with commercial data protection is limited to faculty and higher education students over 18 years of age <!--8681034-->
- Office 365 A1, A3, or A5 <!--8681034-->
- Copilot with commercial data protection is limited to faculty and higher education students over 18 years of age <!--8681034-->
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
1. To verify that commercial data protection is enabled for the user, select the user's **Display name** to open the flyout menu.
1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list.
1. Verify that **Copilot** is enabled for the user.
1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you'll find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes **Copilot**, and verify that it's listed as **On**. If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise), see [Manage Copilot](/copilot/manage) for verifying that commercial data protection is enabled for your users.
1. Copilot with commercial data protection is used as the chat provider platform for users when the following conditions are met:
- Users have an eligible license, commercial data protection in Copilot is enabled, and the [Copilot in Windows user experience is enabled](#enable-the-copilot-in-windows-user-experience-for-windows-11-version-22h2-clients).
- Users are signed in with their Microsoft Entra ID (work accounts)
- Users can sign into Windows with their Microsoft Entra ID
- For Active Directory users on Windows 11, a Microsoft Entra ID in the Web Account Manager (WAM) authentication broker can be used. Entra IDs in Microsoft Edge profiles and Microsoft 365 Apps would both be in WAM. <!--8470699-->
The following sample PowerShell script connects to Microsoft Graph and lists which users that have Copilot with commercial data protection enabled and disabled:
```powershell
# Install Microsoft Graph module
if (-not (Get-Module Microsoft.Graph.Users)) {
Install-Module Microsoft.Graph.Users
}
# Connect to Microsoft Graph
Connect-MgGraph -Scopes 'User.Read.All'
# Get all users
$users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans
# Users with Copilot with commercial data protection enabled
$users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table
# Users without Copilot with commercial data protection enabled
$users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table
```
When Copilot with commercial data protection is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed in this scenario:
:::image type="content" source="images/copilot-commercial-data-protection-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Copilot with commercial data protection is the chat provider." lightbox="images/copilot-commercial-data-protection-chat-provider.png":::
### Copilot with Graph-grounded chat as the chat provider platform
<!---8639813-->
When users are assigned [Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-setup) licenses, they're automatically presented with a **Work** toggle in Copilot for Windows. When **Work** is selected, Copilot with Graph-grounded chat is the chat provider platform used by Copilot in Windows. When using Graph-grounded chat, user prompts can securely access Microsoft Graph content, such as emails, chats, and documents.
:::image type="content" source="images/work-toggle-graph-grounded-chat.png" alt-text="Screenshot of the Copilot in Windows user experience when the work toggle is selected and the chart provider is Copilot with Graph-grounded chat." lightbox="images/work-toggle-graph-grounded-chat.png":::
## Ensure the Copilot in Windows user experience is enabled
Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version.
### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients
Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions:
1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section.
1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default**
- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
- In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.
> [!Important]
> For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies:
- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features**
- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates)
- In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category.
The optional updates policy applies to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs:
- Automatically receive optional updates (including CFRs)
- This selection places devices into an early CFR phase
- Users can select which optional updates to receive
1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves.
### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients
Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows is removed. This means that Copilot in Windows is enabled by default for these devices.
While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort is made to ensure that Copilot with commercial data protection is the default chat provider for commercial organizations, it's still possible that Copilot might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see:
- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses)
- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider)
Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy:
- **CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot)
- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**
## Other settings that might affect Copilot in Windows and its underlying chat provider
Copilot in Windows and [Copilot in Edge](/copilot/edge), can share the same underlying chat provider platform. This also means that some settings that affect Copilot, Copilot with commercial data protection, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider:
### Bing settings
- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Edge:
- Mapping `www.bing.com` to `strict.bing.com`
- Mapping `edgeservices.bing.com` to `strict.bing.com`
- Blocking `bing.com`
- If Copilot with commercial data protection is turned on for your organization, users can access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it:
| Key | Value |
|:---------------------------------------------|:---------------------------------------------------------------------------|
| com.microsoft.intune.mam.managedbrowser.Chat | **true** (default) shows the interface </br> **false** hides the interface |
### Microsoft Edge policies
- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed.
- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Copilot from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider.
### Search settings
- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience.
- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows and the Copilot in Edge user experiences.
### Account settings
- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge.
- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication.
## Microsoft's commitment to responsible AI
Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai).

8
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -11,9 +11,9 @@ ms.date: 01/31/2024
<!-- ApplicationControl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
App Control for Business policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/application-security/application-control/app-control-for-business/design/deploy-multiple-appcontrol-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
Existing App Control for Business policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although App Control policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
<!-- ApplicationControl-Editable-End -->
<!-- ApplicationControl-Tree-Begin -->
@ -861,7 +861,7 @@ The following table provides the result of this policy based on different values
## Microsoft Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy App Control for Business policies by using Microsoft Intune](/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune).
## Generic MDM Server Usage Guidance
@ -1014,7 +1014,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Co
### Setup for using the WMI Bridge
1. Convert your WDAC policy to Base64.
1. Convert your App Control policy to Base64.
2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface:

6
windows/client-management/mdm/clouddesktop-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>2.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -139,7 +139,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621.3374</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>

4
windows/client-management/mdm/configuration-service-provider-ddf.md
View File

@ -13,7 +13,7 @@ This article lists the OMA DM device description framework (DDF) files for vario
As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
- [DDF v2 Files, May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip)
- [DDF v2 Files, September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip)
## DDF v2 schema
@ -574,7 +574,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo
## Older DDF files
You can download the older DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10 and 11 May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip)
- [Download all the DDF files for Windows 10 and 11 September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip)
- [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)

329
windows/client-management/mdm/declaredconfiguration-csp.md
View File

@ -1,7 +1,7 @@
---
title: DeclaredConfiguration CSP
description: Learn more about the DeclaredConfiguration CSP.
ms.date: 01/18/2024
ms.date: 09/12/2024
---
<!-- Auto-Generated CSP Document -->
@ -15,13 +15,13 @@ ms.date: 01/18/2024
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The primary MDM model is one where the MDM server is solely responsible for orchestration and continuous maintenance of the state of the device for configuration scenarios. This behavior results in intensive network traffic and high network latency due to the synchronous configuration model based on the OMA-DM Syncml standard. It's also error-prone given that the server needs deep knowledge of the client.
The declared configuration device management model requires the server to deliver all the setting values to the device for the scenario configuration. The server sends them asynchronously in batches through the client declared configuration CSP.
The Windows declared configuration (WinDC) device management model requires the server to deliver all the setting values to the device for the scenario configuration. The server sends them asynchronously in batches through the DeclaredConfiguration CSP.
- During the client-initiated OMA-DM session, the declared configuration server sends a configuration or an inventory declared configuration document to the client through the [Declared Configuration CSP URI](#declared-configuration-oma-uri). If the device verifies the syntax of the document is correct, the client stack pushes the request to its orchestrator to process the request asynchronously. The client stack then exits, and returns control back to the declared configuration service. This behavior allows the device to asynchronously process the request.
- During the client-initiated OMA-DM session, the WinDC server sends a configuration or an inventory WinDC document to the client through the [DeclaredConfiguration CSP URI](#declaredconfiguration-oma-uri). If the device verifies the syntax of the document is correct, the client stack pushes the request to its orchestrator to process the request asynchronously. The client stack then exits, and returns control back to the WinDC service. This behavior allows the device to asynchronously process the request.
- On the client, if there are any requests in process or completed, it sends a [generic alert](#declared-configuration-generic-alert) to the server. This alert summarizes each document's status, state, and progress. Every client HTTPS request to the declared configuration OMA-DM server includes this summary.
- On the client, if there are any requests in process or completed, it sends a [generic alert](#windc-generic-alert) to the server. This alert summarizes each document's status, state, and progress. Every client HTTPS request to the WinDC OMA-DM server includes this summary.
- The declared configuration server uses the generic alert to determine which requests are completed successfully or with errors. The server can then synchronously retrieve the declared configuration document process results through the [Declared Configuration CSP URI](#declared-configuration-oma-uri).
- The WinDC server uses the generic alert to determine which requests are completed successfully or with errors. The server can then synchronously retrieve the WinDC document process results through the [DeclaredConfiguration CSP URI](#declaredconfiguration-oma-uri).
<!-- DeclaredConfiguration-Editable-End -->
<!-- DeclaredConfiguration-Tree-Begin -->
@ -730,107 +730,51 @@ The Document node's value is an XML based document containing a collection of se
<!-- DeclaredConfiguration-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
## Declared configuration OMA URI
## DeclaredConfiguration OMA URI
A declared configuration request is sent using an OMA-URI similar to `./Device/Vendor/MSFT/DeclaredConfiguration/Host/[Complete|Inventory]/Documents/{DocID}/Document`.
A WinDC request is sent using an OMA-URI similar to `./Device/Vendor/MSFT/DeclaredConfiguration/Host/[Complete|Inventory]/Documents/{DocID}/Document`.
- The URI is prefixed with a targeted scope. The target of the scenario settings can only be device wide for extensibility. The scope should be `Device`.
- The URI is prefixed with a targeted scope (`User` or `Device`).
- `{DocID}` is a unique identifier for the desired state of the configuration scenario. Every document must have an ID, which must be a GUID.
- The request can be a **Configuration**, **Inventory**, or **Complete** request.
- The request can be a **Inventory**, or **Complete** request.
The following URI is an example of a **Complete** request: `./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document`
## DeclaredConfiguration document XML
The value of the leaf node `Document` is an XML document that describes the request. The actual processing of the request pivots around the `osdefinedscenario` tag:
- `MSFTExtensibilityMIProviderConfig`: Used to configure MI provider settings.
- `MSFTExtensibilityMIProviderInventory`: Used to retrieve MI provider setting values.
The DeclaredConfiguration CSP synchronously validates the batch of settings described by the `<DeclaredConfiguration>` element, which represents the declared configuration document. It checks for correct syntax based on the declared configuration XML schema. If there's a syntax error, the CSP returns an error immediately back to the server as part of the current OMA-DM session. If the syntax check passes, then the request is passed on to a Windows service. The Windows service asynchronously attempts the desired state configuration of the specified scenario. This process frees up the server to do other work thus the low latency of this declared configuration protocol. The Windows client service, the orchestrator, is responsible for driving the configuration of the device based on the server supplied desire state. The service also maintains this state throughout its lifetime, until the server removes or modifies it.
The following example uses the built-in, native MI provider `MSFT_FileDirectoryConfiguration` with the OS-defined scenario `MSFTExtensibilityMIProviderConfig`:
## WinDC document
```xml
<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" osdefinedscenario="MSFTExtensibilityMIProviderConfig">
<DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
<Key name="DestinationPath">c:\data\test\bin\ut_extensibility.tmp</Key>
<Value name="Contents">TestFileContentBlah</Value>
</DSC>
<DeclaredConfiguration
schema="1.0"
context="Device"
id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2"
checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999"
osdefinedscenario="MSFTExtensibilityMIProviderConfig">
... {Configuration Data} ...
</DeclaredConfiguration>
```
The standard OMA-DM SyncML syntax is used to specify the DeclaredConfiguration CSP operations such as **Replace**, **Set**, and **Delete**. The payload of the SyncML's `<Data>` element must be XML-encoded. For this XML encoding, there are various online encoders that you can use. To avoid encoding the payload, you can use [CDATA Section](https://www.w3.org/TR/REC-xml/#sec-cdata-sect) as shown in the following example:
The `<DeclaredConfiguration>` XML tag specifies the details of the WinDC document to process. The document could be part of a configuration request or an inventory request. The DeclaredConfiguration CSP has two URIs to allow the specification of a [configuration](#hostcomplete) or an [inventory](#hostinventory) request.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>14</CmdID>
<Item>
<Target>
<LocURI> ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/99988660-9080-3433-96e8-f32e85011999/Document</LocURI>
</Target>
<Data>
<![CDATA[<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" osdefinedscenario="MSFTExtensibilityMIProviderConfig">
<DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
<Key name="DestinationPath">c:\data\test\bin\ut_extensibility.tmp</Key>
<Value name="Contents">TestFileContentBlah</Value>
</DSC>
</DeclaredConfiguration>]]>
</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
This tag has the following attributes:
### DeclaredConfiguration XML document tags
| Attribute | Description |
|---------------------|----------------------------------------------------------------------------------------|
| `schema` | The schema version of the xml. Currently `1.0`. |
| `context` | States whether the document is targeting the device or user. |
| `id` | The unique identifier of the document set by the server. This value should be a GUID. |
| `checksum` | This value is the server-supplied version of the document. |
| `osdefinedscenario` | The named scenario that the client should configure with the given configuration data. |
Both `MSFTExtensibilityMIProviderConfig` and `MSFTExtensibilityMIProviderInventory` are OS-defined scenarios that require the same tags and attributes.
The DeclaredConfiguration CSP synchronously validates the batch of settings described by the `<DeclaredConfiguration>` element, which represents the WinDC document. It checks for correct syntax based on the WinDC XML schema. If there's a syntax error, the CSP returns an error immediately back to the server as part of the current OMA-DM session. If the syntax check passes, then the request is passed on to a Windows service. The Windows service asynchronously attempts the desired state configuration of the specified scenario. This process frees up the server to do other work thus the low latency of the WinDC protocol. The Windows client service, the orchestrator, is responsible for driving the configuration of the device based on the server supplied desire state. The service also maintains this state throughout its lifetime, until the server removes or modifies it.
- The `<DeclaredConfiguration>` XML tag specifies the details of the declared configuration document to process. The document could be part of a configuration request or an inventory request. The DeclaredConfiguration CSP has two URIs to allow the specification of a configuration or an inventory request.
The actual processing of the request pivots around the `osdefinedscenario` tag and the configuration data specified within the document. For more information, see:
This tag has the following attributes:
- [WinDC document for resource access](../declared-configuration-resource-access.md#windc-document)
- [WinDC document for extensibility](../declared-configuration-extensibility.md#windc-document)
| Attribute | Description |
|--|--|
| `schema` | The schema version of the xml. Currently `1.0`. |
| `context` | States that this document is targeting the device. The value should be `Device`. |
| `id` | The unique identifier of the document set by the server. This value should be a GUID. |
| `checksum` | This value is the server-supplied version of the document. |
| `osdefinedscenario` | The named scenario that the client should configure with the given configuration data. For extensibility, the scenario is either `MSFTExtensibilityMIProviderConfig` or `MSFTExtensibilityMIProviderInventory`. |
## WinDC generic alert
- The `<DSC>` XML tag describes the targeted WMI provider expressed by a namespace and class name along with the values either to be applied to the device or queried by the MI provider.
This tag has the following attributes:
| Attribute | Description |
|--|--|
| `namespace` | Specifies the targeted MI provider namespace. |
| `classname` | The targeted MI provider. |
- The `<Key>` XML tag describes the required parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `<Key>` content.
This tag has the following attributes:
| Attribute | Description |
|--|--|
| `name` | Specifies the name of an MI provider parameter. |
- The `<Value>` XML tag describes the optional parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `<Value>` content.
This tag has the following attributes:
| Attribute | Description |
|--|--|
| `name` | Specifies the name of an MI provider parameter. |
## Declared configuration generic alert
On every client response to the server's request, the client constructs a declared configuration alert. This alert summarizes the state of each of the documents that the Windows service has processed. The following XML is an example alert:
On every client response to the server's request, the client constructs a WinDC alert. This alert summarizes the state of each of the documents that the Windows service has processed. The following XML is an example alert:
```xml
<Alert>
@ -853,9 +797,13 @@ On every client response to the server's request, the client constructs a declar
</Alert>
```
In this example, there's one declared configuration document listed in the alert summary. The alert summary lists every document that the client stack is processing, either a configuration or inventory request. It describes the context of the document that specifies the scope of how the document is applied. The **context** value should be `Device`.
In this example, there's one WinDC document listed in the alert summary. The alert summary lists every document that the client stack is processing, either a configuration or inventory request. It describes the context of the document that specifies the scope of how the document is applied. The **context** value should be `Device`.
The **state** attribute has a value of `60`, which indicates that the document was processed successfully. The following class defines the other state values:
The **state** attribute has a value of `60`, which indicates that the document was processed successfully.
## WinDC states
The following class defines the state values:
```csharp
enum class DCCSPURIState :unsigned long
@ -889,150 +837,83 @@ enum class DCCSPURIState :unsigned long
## SyncML examples
- Retrieve the results of a configuration or inventory request:
- [SyncML examples for resource access](../declared-configuration-resource-access.md#syncml-examples)
- [SyncML examples for extensibility](../declared-configuration-extensibility.md#syncml-examples)
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
### Abandon a WinDC document
```xml
<Status>
<CmdID>2</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Cmd>Get</Cmd>
<Data>200</Data>
</Status>
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
</Source>
<Data>
<DeclaredConfigurationResult context="Device" schema="1.0" id="99988660-9080-3433-96e8-f32e85011999" osdefinedscenario="MSFTPolicies" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" result_checksum="EE4F1636201B0D39F71654427E420E625B9459EED17ACCEEE1AC9B358F4283FD" operation="Set" state="60">
<DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration" status="200" state="60">
<Key name="DestinationPath" />
<Value name="Contents" />
</DSC>
</DeclaredConfigurationResult>
</Data>
</Item>
</Results>
```
Abandoning a resource occurs when certain resources are no longer targeted to a user or group. Instead of deleting the resource on the device, the server can choose to abandon the WinDC document. An abandoned resource stays on the device but stops refreshing the WinDC document that handles drift control. Also the [resource ownership](../declared-configuration-resource-access.md#resource-ownership) is transferred to MDM, which means the same resource can be modified via legacy MDM channel again.
- Replace a configuration or inventory request
This example demonstrates how to abandon a WinDC document, by setting the **Abandoned** property to **1**.
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>14</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
</Target>
<Data>
<![CDATA[<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99995209110918B67FE962460137AA3440AFF4DB6ABBE15C8F49968245799999" osdefinedscenario="MSFTExtensibilityMIProviderInventory">
<DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
<Key name="DestinationPath">c:/temp/foobar.tmp</Key>
<Value name="Contents"></Value>
</DSC>
</DeclaredConfiguration>]]>
</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
```xml
<Status>
<CmdID>2</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Cmd>Get</Cmd>
<Data>200</Data>
</Status><Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/99998660-9080-3433-96e8-f32e85019999/Document</LocURI>
</Source>
<Data>
<DeclaredConfigurationResult context="Device" schema="1.0" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" osdefinedscenario="MSFTExtensibilityMIProviderInventory" checksum="99995209110918B67FE962460137AA3440AFF4DB6ABBE15C8F49968245799999" result_checksum="A27B0D234CBC2FAC1292F1E8FBDF6A90690F3988DEDC9D716829856C9ACE0E20" operation="Get" state="80">
<DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration" status="200" state="80">
<Key name="DestinationPath">c:/temp/foobar.tmp</Key>
<Value name="Contents">TestFileContent</Value>
</DSC>
</DeclaredConfigurationResult>
</Data>
</Item>
</Results>
```
- Abandon a configuration or inventory request. This process results in the client tracking the document but not reapplying it. The alert has the `Abandoned` property set to `1`, which indicates that the document is no longer managed by the declared configuration server.
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Properties/Abandoned</LocURI>
</Target>
<Data>1</Data>
</Target>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
### Unabandon a WinDC document
Unabandoning the document causes the document to be applied right away, transferring the [resource ownership](../declared-configuration-resource-access.md#resource-ownership) back to WinDC management and blocking legacy MDM channel from managing the channels again.
This example demonstrates how to unabandon a WinDC document, by setting the **Abandoned** property to **0**.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>10</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/DCA000B5-397D-40A1-AABF-40B25078A7F9/Properties/Abandoned</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
### Delete a WinDC document
The SyncML deletion of the document only removes the document but any settings persist on the device. This example demonstrates how to delete a document.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
</Target>
</Item>
</Replace>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
- Deletion of configuration or inventory request. The SyncML deletion of the document only removes the document but any extensibility settings persist on the device (tattoo).
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
</SyncML>
```
<!-- DeclaredConfiguration-CspMoreInfo-End -->
<!-- DeclaredConfiguration-End -->

6
windows/client-management/mdm/defender-csp.md
View File

@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
ms.date: 06/21/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1289,7 +1289,7 @@ Define data duplication remote location for Device Control. When configuring thi
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-Begin -->
<!-- Description-Source-DDF -->
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-Begin -->
@ -1304,7 +1304,7 @@ Configure how many days can pass before an aggressive quick scan is triggered. T
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[7-60]` |
| Default Value | 25 |
| Default Value | 30 |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-Begin -->

6
windows/client-management/mdm/defender-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2373,8 +2373,8 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.</Description>
<DefaultValue>30</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.</Description>
<DFFormat>
<int />
</DFFormat>

16
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -1,7 +1,7 @@
---
title: EnterpriseModernAppManagement CSP
description: Learn more about the EnterpriseModernAppManagement CSP.
ms.date: 04/10/2024
ms.date: 09/11/2024
---
<!-- Auto-Generated CSP Document -->
@ -381,7 +381,7 @@ This is a required node. The following list shows the supported deployment optio
- ForceUpdateToAnyVersion
- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
- LicenseUri="\\server\license.lic". Deploys an offline license. Available in 1607.
- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1.
- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
<!-- Device-AppInstallation-{PackageFamilyName}-HostedInstall-Editable-End -->
@ -821,7 +821,7 @@ This is a required node.
<!-- Device-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Description-Begin -->
<!-- Description-Source-DDF -->
Category of license that's used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
Category of license that's used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
<!-- Device-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Description-End -->
<!-- Device-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Editable-Begin -->
@ -904,6 +904,8 @@ Identifier for the entity that requested the license, such as the client who acq
<!-- Device-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
<!-- Device-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-Editable-End -->
<!-- Device-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-DFProperties-Begin -->
@ -992,6 +994,8 @@ This is a required node. Query parameters:
- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
- AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business.
> [!NOTE]
> The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
- nonStore - This classification is for apps that weren't acquired from the Microsoft Store.
- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
@ -5464,7 +5468,7 @@ This is a required node. The following list shows the supported deployment optio
- ForceUpdateToAnyVersion
- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
- LicenseUri="\\server\license.lic". Deploys an offline license. Available in 1607.
- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1.
- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
<!-- User-AppInstallation-{PackageFamilyName}-HostedInstall-Editable-End -->
@ -5903,7 +5907,7 @@ This is a required node.
<!-- User-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Description-Begin -->
<!-- Description-Source-DDF -->
Category of license that's used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
Category of license that's used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios.
<!-- User-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Description-End -->
<!-- User-AppLicenses-StoreLicenses-{LicenseID}-LicenseCategory-Editable-Begin -->
@ -5986,6 +5990,8 @@ Identifier for the entity that requested the license, such as the client who acq
<!-- User-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> The Microsoft Store for Business and Microsoft Store for Education are retired. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring).
<!-- User-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-Editable-End -->
<!-- User-AppLicenses-StoreLicenses-{LicenseID}-RequesterID-DFProperties-Begin -->

2
windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
View File

@ -1,7 +1,7 @@
---
title: EnterpriseModernAppManagement DDF file
description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider.
ms.date: 06/28/2024
ms.date: 09/11/2024
---
<!-- Auto-Generated CSP Document -->

4
windows/client-management/mdm/firewall-csp.md
View File

@ -1,7 +1,7 @@
---
title: Firewall CSP
description: Learn more about the Firewall CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2221,7 +2221,7 @@ Specifies the friendly name of the firewall rule.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
Specifies one App Control tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Editable-Begin -->

10
windows/client-management/mdm/index.yml
View File

@ -9,7 +9,7 @@ metadata:
ms.topic: landing-page
ms.collection:
- tier1
ms.date: 10/25/2023
ms.date: 10/07/2024
ms.localizationpriority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -27,8 +27,8 @@ landingContent:
url: configuration-service-provider-support.md
- text: Device description framework (DDF) files
url: configuration-service-provider-ddf.md
- text: BitLocker CSP
url: bitlocker-csp.md
- text: Contribute to CSP reference
url: contribute-csp-reference.md
- text: Declared Configuration protocol
url: ../declared-configuration.md
@ -42,8 +42,8 @@ landingContent:
url: policy-configuration-service-provider.md
- text: Policy DDF file
url: configuration-service-provider-ddf.md
- text: Policy CSP - Start
url: policy-csp-start.md
- text: Policy CSP - Defender
url: policy-csp-defender.md
- text: Policy CSP - Update
url: policy-csp-update.md

16
windows/client-management/mdm/laps-csp.md
View File

@ -1,7 +1,7 @@
---
title: LAPS CSP
description: Learn more about the LAPS CSP.
ms.date: 06/21/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 06/21/2024
<!-- LAPS-Begin -->
# LAPS CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- LAPS-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
@ -432,7 +430,7 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-Begin -->
@ -488,7 +486,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-Begin -->
@ -543,7 +541,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-Begin -->
@ -587,7 +585,7 @@ If not specified, this setting will default to "WLapsAdmin".
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-Begin -->
@ -643,7 +641,7 @@ If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-Begin -->
@ -759,7 +757,7 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-PassphraseLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Device-Policies-PassphraseLength-Applicability-End -->
<!-- Device-Policies-PassphraseLength-OmaUri-Begin -->

14
windows/client-management/mdm/laps-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -327,7 +327,7 @@ This setting has a maximum allowed value of 10 words.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
@ -690,7 +690,7 @@ If not specified, this setting defaults to False.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -736,7 +736,7 @@ If not specified, this setting will default to 1.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -791,7 +791,7 @@ If not specified, this setting will default to "WLapsAdmin".</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:DependencyBehavior>
@ -839,7 +839,7 @@ If not specified, this setting defaults to False.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -897,7 +897,7 @@ If not specified, this setting defaults to False.</Description>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">

6
windows/client-management/mdm/office-csp.md
View File

@ -1,7 +1,7 @@
---
title: Office CSP
description: Learn more about the Office CSP.
ms.date: 01/18/2024
ms.date: 10/10/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,7 +11,7 @@ ms.date: 01/18/2024
<!-- Office-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [Add Microsoft 365 Apps to Windows devices with Microsoft Intune](/mem/intune/apps/apps-add-office365).
<!-- Office-Editable-End -->
<!-- Office-Tree-Begin -->
@ -587,7 +587,7 @@ To get the current status of Office 365 on the device.
| 17001 | ERROR_QUEUE_SCENARIO <br/>Failed to queue installation scenario in C2RClient | Failure |
| 17002 | ERROR_COMPLETING_SCENARIO <br>Failed to complete the process. Possible reasons:<li>Installation canceled by user<li>Installation canceled by another installation<li>Out of disk space during installation <li>Unknown language ID | Failure |
| 17003 | ERROR_ANOTHER_RUNNING_SCENARIO <br>Another scenario is running | Failure |
| 17004 | ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP<br>Possible reasons:<li>Unknown SKUs<li>Content does't exist on CDN<ul><li>Such as trying to install an unsupported LAP, like zh-sg<li>CDN issue that content is not available</li></ul><li>Signature check issue, such as failed the signature check for Office content<li>User canceled | Failure |
| 17004 | ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP<br>Possible reasons:<li>Unknown SKUs<li>Content doesn't exist on CDN<ul><li>Such as trying to install an unsupported LAP, like zh-sg<li>CDN issue that content is not available</li></ul><li>Signature check issue, such as failed the signature check for Office content<li>User canceled | Failure |
| 17005 | ERROR_SCENARIO_CANCELLED_AS_PLANNED | Failure |
| 17006 | ERROR_SCENARIO_CANCELLED<br>Blocked update by running apps | Failure |
| 17007 | ERROR_REMOVE_INSTALLATION_NEEDED<br>The client is requesting client clean-up in a "Remove Installation" scenario | Failure |

4
windows/client-management/mdm/personalization-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Personalization DDF file
description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the P
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>

1
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -137,7 +137,6 @@ ms.date: 02/03/2023
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates) <sup>11</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates) <sup>11</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod) <sup>11</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot) <sup>11</sup>
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds)

171
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -17,6 +17,7 @@ This article lists the policies that are applicable for Windows Insider Preview
- [TurnOffInstallTracing](policy-csp-appdeviceinventory.md#turnoffinstalltracing)
- [TurnOffAPISamping](policy-csp-appdeviceinventory.md#turnoffapisamping)
- [TurnOffApplicationFootprint](policy-csp-appdeviceinventory.md#turnoffapplicationfootprint)
- [TurnOffWin32AppBackup](policy-csp-appdeviceinventory.md#turnoffwin32appbackup)
## ClientCertificateInstall CSP
@ -28,15 +29,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [EnablePhysicalDeviceAccessOnErrorScreens](clouddesktop-csp.md#userenablephysicaldeviceaccessonerrorscreens)
- [EnableBootToCloudSharedPCMode](clouddesktop-csp.md#deviceenableboottocloudsharedpcmode)
## Cryptography
- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md#configureellipticcurvecryptography)
- [ConfigureSystemCryptographyForceStrongKeyProtection](policy-csp-cryptography.md#configuresystemcryptographyforcestrongkeyprotection)
- [OverrideMinimumEnabledTLSVersionClient](policy-csp-cryptography.md#overrideminimumenabledtlsversionclient)
- [OverrideMinimumEnabledTLSVersionServer](policy-csp-cryptography.md#overrideminimumenabledtlsversionserver)
- [OverrideMinimumEnabledDTLSVersionClient](policy-csp-cryptography.md#overrideminimumenableddtlsversionclient)
- [OverrideMinimumEnabledDTLSVersionServer](policy-csp-cryptography.md#overrideminimumenableddtlsversionserver)
## DeclaredConfiguration CSP
- [Document](declaredconfiguration-csp.md#hostcompletedocumentsdociddocument)
@ -47,23 +39,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
## DesktopAppInstaller
- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md#enablewindowspackagemanagercommandlineinterfaces)
- [EnableWindowsPackageManagerConfiguration](policy-csp-desktopappinstaller.md#enablewindowspackagemanagerconfiguration)
## DeviceLock
- [MaximumPasswordAge](policy-csp-devicelock.md#maximumpasswordage)
- [ClearTextPassword](policy-csp-devicelock.md#cleartextpassword)
- [PasswordComplexity](policy-csp-devicelock.md#passwordcomplexity)
- [PasswordHistorySize](policy-csp-devicelock.md#passwordhistorysize)
- [AccountLockoutPolicy](policy-csp-devicelock.md#accountlockoutpolicy)
- [AllowAdministratorLockout](policy-csp-devicelock.md#allowadministratorlockout)
- [MinimumPasswordLength](policy-csp-devicelock.md#minimumpasswordlength)
- [MinimumPasswordLengthAudit](policy-csp-devicelock.md#minimumpasswordlengthaudit)
- [RelaxMinimumPasswordLengthLimits](policy-csp-devicelock.md#relaxminimumpasswordlengthlimits)
## DevicePreparation CSP
- [PageEnabled](devicepreparation-csp.md#pageenabled)
@ -84,12 +59,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [Cadence](dmclient-csp.md#deviceproviderprovideridconfigrefreshcadence)
- [PausePeriod](dmclient-csp.md#deviceproviderprovideridconfigrefreshpauseperiod)
## Experience
- [AllowScreenRecorder](policy-csp-experience.md#allowscreenrecorder)
- [EnableOrganizationalMessages](policy-csp-experience.md#enableorganizationalmessages)
- [DisableTextTranslation](policy-csp-experience.md#disabletexttranslation)
## FileSystem
- [EnableDevDrive](policy-csp-filesystem.md#enabledevdrive)
@ -99,13 +68,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)
## HumanPresence
- [ForceDisableWakeWhenBatterySaverOn](policy-csp-humanpresence.md#forcedisablewakewhenbatterysaveron)
- [ForceAllowWakeWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowwakewhenexternaldisplayconnected)
- [ForceAllowLockWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowlockwhenexternaldisplayconnected)
- [ForceAllowDimWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowdimwhenexternaldisplayconnected)
## InternetExplorer
- [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@ -121,50 +83,9 @@ This article lists the policies that are applicable for Windows Insider Preview
- [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation)
- [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages)
## LAPS CSP
- [PassphraseLength](laps-csp.md#policiespassphraselength)
- [AutomaticAccountManagementEnabled](laps-csp.md#policiesautomaticaccountmanagementenabled)
- [AutomaticAccountManagementTarget](laps-csp.md#policiesautomaticaccountmanagementtarget)
- [AutomaticAccountManagementNameOrPrefix](laps-csp.md#policiesautomaticaccountmanagementnameorprefix)
- [AutomaticAccountManagementEnableAccount](laps-csp.md#policiesautomaticaccountmanagementenableaccount)
- [AutomaticAccountManagementRandomizeName](laps-csp.md#policiesautomaticaccountmanagementrandomizename)
## LocalPoliciesSecurityOptions
- [Audit_AuditTheUseOfBackupAndRestoreprivilege](policy-csp-localpoliciessecurityoptions.md#audit_audittheuseofbackupandrestoreprivilege)
- [Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings](policy-csp-localpoliciessecurityoptions.md#audit_forceauditpolicysubcategorysettingstooverrideauditpolicycategorysettings)
- [Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits](policy-csp-localpoliciessecurityoptions.md#audit_shutdownsystemimmediatelyifunabletologsecurityaudits)
- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md#devices_restrictfloppyaccesstolocallyloggedonuseronly)
- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptorsignsecurechanneldataalways)
- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptsecurechanneldatawhenpossible)
- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallysignsecurechanneldatawhenpossible)
- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md#domainmember_disablemachineaccountpasswordchanges)
- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md#domainmember_maximummachineaccountpasswordage)
- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md#domainmember_requirestrongsessionkey)
- [InteractiveLogon_MachineAccountLockoutThreshold](policy-csp-localpoliciessecurityoptions.md#interactivelogon_machineaccountlockoutthreshold)
- [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache)
- [InteractiveLogon_PromptUserToChangePasswordBeforeExpiration](policy-csp-localpoliciessecurityoptions.md#interactivelogon_promptusertochangepasswordbeforeexpiration)
- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_amountofidletimerequiredbeforesuspendingsession)
- [MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_disconnectclientswhenlogonhoursexpire)
- [MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_serverspntargetnamevalidationlevel)
- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md#networkaccess_allowanonymoussidornametranslation)
- [NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication](policy-csp-localpoliciessecurityoptions.md#networkaccess_donotallowstorageofpasswordsandcredentialsfornetworkauthentication)
- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md#networkaccess_leteveryonepermissionsapplytoanonymoususers)
- [NetworkAccess_NamedPipesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_namedpipesthatcanbeaccessedanonymously)
- [NetworkAccess_RemotelyAccessibleRegistryPaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypaths)
- [NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypathsandsubpaths)
- [NetworkAccess_SharesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharesthatcanbeaccessedanonymously)
- [NetworkAccess_SharingAndSecurityModelForLocalAccounts](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharingandsecuritymodelforlocalaccounts)
- [NetworkSecurity_AllowLocalSystemNULLSessionFallback](policy-csp-localpoliciessecurityoptions.md#networksecurity_allowlocalsystemnullsessionfallback)
- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#networksecurity_forcelogoffwhenlogonhoursexpire)
- [NetworkSecurity_LDAPClientSigningRequirements](policy-csp-localpoliciessecurityoptions.md#networksecurity_ldapclientsigningrequirements)
- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowautomaticadministrativelogon)
- [RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowfloppycopyandaccesstoalldrivesandallfolders)
- [SystemCryptography_ForceStrongKeyProtection](policy-csp-localpoliciessecurityoptions.md#systemcryptography_forcestrongkeyprotection)
- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md#systemobjects_requirecaseinsensitivityfornonwindowssubsystems)
- [SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects](policy-csp-localpoliciessecurityoptions.md#systemobjects_strengthendefaultpermissionsofinternalsystemobjects)
- [UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_behavioroftheelevationpromptforenhancedadministrators)
- [UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_behavioroftheelevationpromptforadministratorprotection)
- [UserAccountControl_TypeOfAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_typeofadminapprovalmode)
## MixedReality
@ -174,23 +95,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
- [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
## MSSecurityGuide
- [NetBTNodeTypeConfiguration](policy-csp-mssecurityguide.md#netbtnodetypeconfiguration)
## NetworkListManager
- [AllNetworks_NetworkIcon](policy-csp-networklistmanager.md#allnetworks_networkicon)
- [AllNetworks_NetworkLocation](policy-csp-networklistmanager.md#allnetworks_networklocation)
- [AllNetworks_NetworkName](policy-csp-networklistmanager.md#allnetworks_networkname)
- [IdentifyingNetworks_LocationType](policy-csp-networklistmanager.md#identifyingnetworks_locationtype)
- [UnidentifiedNetworks_LocationType](policy-csp-networklistmanager.md#unidentifiednetworks_locationtype)
- [UnidentifiedNetworks_UserPermissions](policy-csp-networklistmanager.md#unidentifiednetworks_userpermissions)
## Notifications
- [DisableAccountNotifications](policy-csp-notifications.md#disableaccountnotifications)
## PassportForWork CSP
- [EnableWindowsHelloProvisioningForSecurityKeys](passportforwork-csp.md#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@ -202,77 +106,15 @@ This article lists the policies that are applicable for Windows Insider Preview
## RemoteDesktopServices
- [LimitServerToClientClipboardRedirection](policy-csp-remotedesktopservices.md#limitservertoclientclipboardredirection)
- [LimitClientToServerClipboardRedirection](policy-csp-remotedesktopservices.md#limitclienttoserverclipboardredirection)
- [DisconnectOnLockLegacyAuthn](policy-csp-remotedesktopservices.md#disconnectonlocklegacyauthn)
- [DisconnectOnLockMicrosoftIdentityAuthn](policy-csp-remotedesktopservices.md#disconnectonlockmicrosoftidentityauthn)
- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
## Search
- [ConfigureSearchOnTaskbarMode](policy-csp-search.md#configuresearchontaskbarmode)
## SettingsSync
- [DisableAccessibilitySettingSync](policy-csp-settingssync.md#disableaccessibilitysettingsync)
- [DisableLanguageSettingSync](policy-csp-settingssync.md#disablelanguagesettingsync)
## Sudo
- [EnableSudo](policy-csp-sudo.md#enablesudo)
## SurfaceHub CSP
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
## System
- [HideUnsupportedHardwareNotifications](policy-csp-system.md#hideunsupportedhardwarenotifications)
## SystemServices
- [ConfigureComputerBrowserServiceStartupMode](policy-csp-systemservices.md#configurecomputerbrowserservicestartupmode)
- [ConfigureIISAdminServiceStartupMode](policy-csp-systemservices.md#configureiisadminservicestartupmode)
- [ConfigureInfraredMonitorServiceStartupMode](policy-csp-systemservices.md#configureinfraredmonitorservicestartupmode)
- [ConfigureInternetConnectionSharingServiceStartupMode](policy-csp-systemservices.md#configureinternetconnectionsharingservicestartupmode)
- [ConfigureLxssManagerServiceStartupMode](policy-csp-systemservices.md#configurelxssmanagerservicestartupmode)
- [ConfigureMicrosoftFTPServiceStartupMode](policy-csp-systemservices.md#configuremicrosoftftpservicestartupmode)
- [ConfigureRemoteProcedureCallLocatorServiceStartupMode](policy-csp-systemservices.md#configureremoteprocedurecalllocatorservicestartupmode)
- [ConfigureRoutingAndRemoteAccessServiceStartupMode](policy-csp-systemservices.md#configureroutingandremoteaccessservicestartupmode)
- [ConfigureSimpleTCPIPServicesStartupMode](policy-csp-systemservices.md#configuresimpletcpipservicesstartupmode)
- [ConfigureSpecialAdministrationConsoleHelperServiceStartupMode](policy-csp-systemservices.md#configurespecialadministrationconsolehelperservicestartupmode)
- [ConfigureSSDPDiscoveryServiceStartupMode](policy-csp-systemservices.md#configuressdpdiscoveryservicestartupmode)
- [ConfigureUPnPDeviceHostServiceStartupMode](policy-csp-systemservices.md#configureupnpdevicehostservicestartupmode)
- [ConfigureWebManagementServiceStartupMode](policy-csp-systemservices.md#configurewebmanagementservicestartupmode)
- [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode](policy-csp-systemservices.md#configurewindowsmediaplayernetworksharingservicestartupmode)
- [ConfigureWindowsMobileHotspotServiceStartupMode](policy-csp-systemservices.md#configurewindowsmobilehotspotservicestartupmode)
- [ConfigureWorldWideWebPublishingServiceStartupMode](policy-csp-systemservices.md#configureworldwidewebpublishingservicestartupmode)
## Update
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md#configuredeadlinenoautorebootforqualityupdates)
- [AlwaysAutoRebootAtScheduledTimeMinutes](policy-csp-update.md#alwaysautorebootatscheduledtimeminutes)
## UserRights
- [BypassTraverseChecking](policy-csp-userrights.md#bypasstraversechecking)
- [ReplaceProcessLevelToken](policy-csp-userrights.md#replaceprocessleveltoken)
- [ChangeTimeZone](policy-csp-userrights.md#changetimezone)
- [ShutDownTheSystem](policy-csp-userrights.md#shutdownthesystem)
- [LogOnAsBatchJob](policy-csp-userrights.md#logonasbatchjob)
- [ProfileSystemPerformance](policy-csp-userrights.md#profilesystemperformance)
- [DenyLogOnAsBatchJob](policy-csp-userrights.md#denylogonasbatchjob)
- [LogOnAsService](policy-csp-userrights.md#logonasservice)
- [IncreaseProcessWorkingSet](policy-csp-userrights.md#increaseprocessworkingset)
- [DenyLogOnAsService](policy-csp-userrights.md#denylogonasservice)
- [AdjustMemoryQuotasForProcess](policy-csp-userrights.md#adjustmemoryquotasforprocess)
- [AllowLogOnThroughRemoteDesktop](policy-csp-userrights.md#allowlogonthroughremotedesktop)
## WebThreatDefense
- [AutomaticDataCollection](policy-csp-webthreatdefense.md#automaticdatacollection)
## Wifi
@ -281,7 +123,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI
- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
@ -294,11 +136,6 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DisableSubscription](windowslicensing-csp.md#subscriptionsdisablesubscription)
- [RemoveSubscription](windowslicensing-csp.md#subscriptionsremovesubscription)
## WindowsSandbox
- [AllowMappedFolders](policy-csp-windowssandbox.md#allowmappedfolders)
- [AllowWriteToMappedFolders](policy-csp-windowssandbox.md#allowwritetomappedfolders)
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1,7 +1,7 @@
---
title: Policy CSP
description: Learn more about the Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1152,6 +1152,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [Settings](policy-csp-settings.md)
- [SettingsSync](policy-csp-settingssync.md)
- [SmartScreen](policy-csp-smartscreen.md)
- [SpeakForMe](policy-csp-speakforme.md)
- [Speech](policy-csp-speech.md)
- [Start](policy-csp-start.md)
- [Stickers](policy-csp-stickers.md)

8
windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_AppxPackageManager Policy CSP
description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 08/06/2024
<!-- AllowDeploymentInSpecialProfiles-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
This policy setting allows you to manage the deployment of packaged Microsoft Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies.
@ -42,9 +42,9 @@ Temporary user profiles, which are created when an error prevents the correct pr
User profiles for the Guest account and members of the Guests group.
- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile.
- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of packaged Microsoft Store apps when using a special profile.
- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of packaged Microsoft Store apps when using a special profile.
<!-- AllowDeploymentInSpecialProfiles-Description-End -->
<!-- AllowDeploymentInSpecialProfiles-Editable-Begin -->

24
windows/client-management/mdm/policy-csp-admx-appxruntime.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_AppXRuntime Policy CSP
description: Learn more about the ADMX_AppXRuntime Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,11 +32,11 @@ ms.date: 08/06/2024
<!-- AppxRuntimeApplicationContentUriRules-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer.
- If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
- If you enable this policy setting, you can define additional Content URI Rules that all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer can use.
- If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
- If you disable or don't set this policy setting, packaged Microsoft Store apps will only use the static Content URI Rules.
<!-- AppxRuntimeApplicationContentUriRules-Description-End -->
<!-- AppxRuntimeApplicationContentUriRules-Editable-Begin -->
@ -60,7 +60,7 @@ This policy setting lets you turn on Content URI Rules to supplement the static
| Name | Value |
|:--|:--|
| Name | AppxRuntimeApplicationContentUriRules |
| Friendly Name | Turn on dynamic Content URI Rules for Windows store apps |
| Friendly Name | Turn on dynamic Content URI Rules for packaged Microsoft Store apps |
| Location | Computer Configuration |
| Path | Windows Components > App runtime |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications |
@ -95,11 +95,11 @@ This policy setting lets you turn on Content URI Rules to supplement the static
<!-- AppxRuntimeBlockFileElevation-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
This policy setting lets you control whether packaged Microsoft Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a packaged Microsoft Store app might compromise the system by opening a file in the default desktop app for a file type.
- If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
- If you enable this policy setting, packaged Microsoft Store apps can't open files in the default desktop app for a file type; they can open files only in other packaged Microsoft Store apps.
- If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open files in the default desktop app for a file type.
<!-- AppxRuntimeBlockFileElevation-Description-End -->
<!-- AppxRuntimeBlockFileElevation-Editable-Begin -->
@ -219,14 +219,14 @@ This policy shouldn't be enabled unless recommended by Microsoft as a security r
<!-- AppxRuntimeBlockProtocolElevation-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
This policy setting lets you control whether packaged Microsoft Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a URI scheme launched by a packaged Microsoft Store app might compromise the system by launching a desktop app.
- If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
- If you enable this policy setting, packaged Microsoft Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other packaged Microsoft Store apps.
- If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.
- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open URIs in the default desktop app for a URI scheme.
> [!NOTE]
> Enabling this policy setting doesn't block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
> Enabling this policy setting doesn't block packaged Microsoft Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
<!-- AppxRuntimeBlockProtocolElevation-Description-End -->
<!-- AppxRuntimeBlockProtocolElevation-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_ControlPanelDisplay Policy CSP
description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1351,7 +1351,7 @@ Specifies which theme file is applied to the computer the first time a user logs
|:--|:--|
| Name | CPL_Personalization_SetTheme |
| Friendly Name | Load a specific theme |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Control Panel > Personalization |
| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization |
| ADMX File Name | ControlPanelDisplay.admx |

8
windows/client-management/mdm/policy-csp-admx-deviceguard.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DeviceGuard Policy CSP
description: Learn more about the ADMX_DeviceGuard Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -14,7 +14,7 @@ ms.date: 08/06/2024
<!-- ADMX_DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!WARNING]
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
> Group Policy-based deployment of App Control for Business policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
<!-- ADMX_DeviceGuard-Editable-End -->
<!-- ConfigCIPolicy-Begin -->
@ -34,7 +34,7 @@ ms.date: 08/06/2024
<!-- ConfigCIPolicy-Description-Begin -->
<!-- Description-Source-ADMX -->
Deploy Windows Defender Application Control.
Deploy App Control for Business.
This policy setting lets you deploy a Code Integrity Policy to a machine to control what's allowed to run on that machine.
@ -69,7 +69,7 @@ If using a signed and protected policy then disabling this policy setting doesn'
| Name | Value |
|:--|:--|
| Name | ConfigCIPolicy |
| Friendly Name | Deploy Windows Defender Application Control |
| Friendly Name | Deploy App Control for Business |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |

96
windows/client-management/mdm/policy-csp-admx-dnsclient.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DnsClient Policy CSP
description: Learn more about the ADMX_DnsClient Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -91,7 +91,7 @@ Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualifie
<!-- DNS_AppendToMultiLabelName-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
Specifies that the DNS client may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com" is an example of a fully qualified name because it contains a terminating dot.
@ -103,7 +103,7 @@ If attaching suffixes is allowed, and a DNS client with a primary domain suffix
- If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
- If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
- If you don't configure this policy setting, the DNS client will use its local settings to determine the query behavior for unqualified multi-label names.
<!-- DNS_AppendToMultiLabelName-Description-End -->
<!-- DNS_AppendToMultiLabelName-Editable-Begin -->
@ -162,9 +162,9 @@ Specifies a connection-specific DNS suffix. This policy setting supersedes local
To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by the DNS client.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied connection specific DNS suffix, if configured.
<!-- DNS_Domain-Description-End -->
<!-- DNS_Domain-Editable-Begin -->
@ -234,7 +234,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
@ -295,11 +295,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
<!-- DNS_IdnEncoding-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
- If this policy setting is enabled, IDNs aren't converted to Punycode.
- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
<!-- DNS_IdnEncoding-Description-End -->
<!-- DNS_IdnEncoding-Editable-Begin -->
@ -413,13 +413,13 @@ Specifies whether the DNS client should convert internationalized domain names (
<!-- DNS_NameServer-Description-Begin -->
<!-- Description-Source-ADMX -->
Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
Defines the DNS servers to which the DNS client sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
- If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the list of DNS servers is applied to all network connections used by the DNS client.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied list of DNS servers, if configured.
<!-- DNS_NameServer-Description-End -->
<!-- DNS_NameServer-Editable-Begin -->
@ -535,18 +535,18 @@ Specifies that responses from link local name resolution protocols received over
<!-- DNS_PrimaryDnsSuffix-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
Specifies the primary DNS suffix used by the DNS client in DNS name registration and DNS name resolution.
To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
> [!IMPORTANT]
> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
> In order for changes to this policy setting to be applied on the DNS client, you must restart Windows.
- If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
- If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client uses the local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
<!-- DNS_PrimaryDnsSuffix-Description-End -->
<!-- DNS_PrimaryDnsSuffix-Editable-Begin -->
@ -600,18 +600,18 @@ You can use this policy setting to prevent users, including local administrators
<!-- DNS_RegisterAdapterName-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
- If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
> [!IMPORTANT]
> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
> This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.
- If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client won't register any A and PTR resource records using a connection-specific DNS suffix.
<!-- DNS_RegisterAdapterName-Description-End -->
<!-- DNS_RegisterAdapterName-Editable-Begin -->
@ -666,7 +666,7 @@ For example, with a computer name of mycomputer, a primary DNS suffix of microso
<!-- DNS_RegisterReverseLookup-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if DNS client computers will register PTR resource records.
Specifies if the DNS client will register PTR resource records.
By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
@ -674,13 +674,13 @@ By default, DNS clients configured to perform dynamic DNS registration will atte
To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
Don't register: Computers won't attempt to register PTR resource records.
Don't register: the DNS client won't attempt to register PTR resource records.
Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
Register: the DNS client will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
Register only if A record registration succeeds: the DNS client will attempt to register PTR resource records only if registration of the corresponding A records was successful.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use locally configured settings.
<!-- DNS_RegisterReverseLookup-Description-End -->
<!-- DNS_RegisterReverseLookup-Editable-Begin -->
@ -734,11 +734,11 @@ Register only if A record registration succeeds: Computers will attempt to regis
<!-- DNS_RegistrationEnabled-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
Specifies if DNS dynamic update is enabled. DNS clients configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
- If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
- If you enable this policy setting, or you don't configure this policy setting, the DNS client will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
- If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
- If you disable this policy setting, the DNS client may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
<!-- DNS_RegistrationEnabled-Description-End -->
<!-- DNS_RegistrationEnabled-Editable-Begin -->
@ -795,7 +795,7 @@ Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic
<!-- Description-Source-ADMX -->
Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers.
This policy setting is designed for DNS clients that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other DNS clients.
During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
@ -856,18 +856,18 @@ During dynamic update of resource records in a zone that doesn't use Secure Dyna
<!-- DNS_RegistrationRefreshInterval-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies DNS clients performing dynamic DNS updates.
Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
DNS clients configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
> [!WARNING]
> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by DNS clients that receive this policy setting.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied setting. By default, DNS clients configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
<!-- DNS_RegistrationRefreshInterval-Description-End -->
<!-- DNS_RegistrationRefreshInterval-Editable-Begin -->
@ -921,13 +921,13 @@ To specify the registration refresh interval, click Enabled and then enter a val
<!-- DNS_RegistrationTtl-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by the DNS client to which this policy setting is applied.
To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by the DNS client.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
<!-- DNS_RegistrationTtl-Description-End -->
<!-- DNS_RegistrationTtl-Editable-Begin -->
@ -985,7 +985,7 @@ Specifies the DNS suffixes to attach to an unqualified single-label name before
An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com".
Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
DNS clients that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
@ -1170,15 +1170,15 @@ Specifies the security level for dynamic DNS updates.
To use this policy setting, click Enabled and then select one of the following values:
Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
Unsecure followed by secure - the DNS client sends secure dynamic updates only when nonsecure dynamic updates are refused.
Only unsecure - computers send only nonsecure dynamic updates.
Only unsecure - the DNS client sends only nonsecure dynamic updates.
Only secure - computers send only secure dynamic updates.
Only secure - The DNS client sends only secure dynamic updates.
- If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
- If you enable this policy setting, DNS clients that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
- If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
- If you disable this policy setting, or if you don't configure this policy setting, DNS clients will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
<!-- DNS_UpdateSecurityLevel-Description-End -->
<!-- DNS_UpdateSecurityLevel-Editable-Begin -->
@ -1232,13 +1232,13 @@ Only secure - computers send only secure dynamic updates.
<!-- DNS_UpdateTopLevelDomainZones-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
Specifies if the DNS client may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
By default, a DNS client that's configured to perform dynamic DNS update will update the DNS zone that's authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
- If you enable this policy setting, computers send dynamic updates to any zone that's authoritative for the resource records that the computer needs to update, except the root zone.
- If you enable this policy setting, the DNS client sends dynamic updates to any zone that's authoritative for the resource records that the DNS client needs to update, except the root zone.
- If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
- If you disable this policy setting, or if you don't configure this policy setting, the DNS client doesn't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the DNS client needs to update.
<!-- DNS_UpdateTopLevelDomainZones-Description-End -->
<!-- DNS_UpdateTopLevelDomainZones-Editable-Begin -->
@ -1309,7 +1309,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
@ -1370,11 +1370,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
<!-- Turn_Off_Multicast-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
Specifies that link local multicast name resolution (LLMNR) is disabled on the DNS client.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a DNS client to another DNS client on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the DNS client.
- If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters.
<!-- Turn_Off_Multicast-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-filesys.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_FileSys Policy CSP
description: Learn more about the ADMX_FileSys Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -260,7 +260,7 @@ Encrypting the page file prevents malicious users from reading data that has bee
<!-- LongPathsEnabled-Description-Begin -->
<!-- Description-Source-ADMX -->
Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
Enabling Win32 long paths will allow manifested win32 applications and packaged Microsoft Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
<!-- LongPathsEnabled-Description-End -->
<!-- LongPathsEnabled-Editable-Begin -->

30
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_MicrosoftDefenderAntivirus Policy CSP
description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1523,11 +1523,13 @@ This policy setting defines the number of days items should be kept in the Quara
<!-- RandomizeScheduleTaskTimes-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours.
This policy setting allows you to configure the randomization of the scheduled scan start time and the scheduled definition update start time.
- If you disable or don't configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
- If you enable or don't configure this policy setting, and didn't set a randomization window in the Configure scheduled task time randomization window setting , then randomization will be added between 0-4 hours.
- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours.
- If you enable or don't configure this policy setting, and set a randomization window in the Configure scheduled task time randomization window setting, the configured randomization window will be used.
- If you disable this policy setting, but configured the scheduled task time randomization window, randomization won't be done.
<!-- RandomizeScheduleTaskTimes-Description-End -->
<!-- RandomizeScheduleTaskTimes-Editable-Begin -->
@ -3528,11 +3530,11 @@ This policy setting allows you to configure scanning mapped network drives.
<!-- Scan_DisableScanningNetworkFiles-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure scanning for network files. It's recommended that you don't enable this setting.
This policy setting allows the scanning of network files using on access protection. The default is enabled. Recommended to remain enabled in most cases.
- If you enable this setting, network files will be scanned.
- If you enable or don't configure this setting, network files will be scanned.
- If you disable or don't configure this setting, network files won't be scanned.
- If you disable this setting, network files won't be scanned.
<!-- Scan_DisableScanningNetworkFiles-Description-End -->
<!-- Scan_DisableScanningNetworkFiles-Editable-Begin -->
@ -3556,7 +3558,7 @@ This policy setting allows you to configure scanning for network files. It's rec
| Name | Value |
|:--|:--|
| Name | Scan_DisableScanningNetworkFiles |
| Friendly Name | Scan network files |
| Friendly Name | Configure scanning of network files |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@ -5436,12 +5438,7 @@ Valid remediation action values are:
<!-- UX_Configuration_CustomDefaultActionToastString-OmaUri-End -->
<!-- UX_Configuration_CustomDefaultActionToastString-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
- If you enable this setting, the additional text specified will be displayed.
- If you disable or don't configure this setting, there will be no additional text displayed.
<!-- Description-Source-Not-Found -->
<!-- UX_Configuration_CustomDefaultActionToastString-Description-End -->
<!-- UX_Configuration_CustomDefaultActionToastString-Editable-Begin -->
@ -5458,6 +5455,7 @@ This policy setting allows you to configure whether or not to display additional
<!-- UX_Configuration_CustomDefaultActionToastString-DFProperties-End -->
<!-- UX_Configuration_CustomDefaultActionToastString-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -5465,10 +5463,6 @@ This policy setting allows you to configure whether or not to display additional
| Name | Value |
|:--|:--|
| Name | UX_Configuration_CustomDefaultActionToastString |
| Friendly Name | Display additional text to clients when they need to perform an action |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Client Interface |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration |
| ADMX File Name | WindowsDefender.admx |
<!-- UX_Configuration_CustomDefaultActionToastString-AdmxBacked-End -->

4
windows/client-management/mdm/policy-csp-admx-netlogon.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Netlogon Policy CSP
description: Learn more about the ADMX_Netlogon Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -420,6 +420,8 @@ Note that this policy setting doesn't affect NetBIOS-based discovery for DC loca
- If you enable or don't configure this policy setting, the DC location algorithm doesn't use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
- If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
This setting has no effect unless the BlockNetbiosDiscovery setting is disabled. NetBIOS-based discovery is considered unsecure, has many limitations, and will be deprecated in a future release. For these reasons, NetBIOS-based discovery isn't recommended. See <https://aka.ms/dclocatornetbiosdeprecation> for more information.
<!-- Netlogon_AvoidFallbackNetbiosDiscovery-Description-End -->
<!-- Netlogon_AvoidFallbackNetbiosDiscovery-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-printing.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Printing Policy CSP
description: Learn more about the ADMX_Printing Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -749,7 +749,7 @@ This preference allows you to change default printer management.
<!-- MXDWUseLegacyOutputFormatMSXPS-Description-Begin -->
<!-- Description-Source-ADMX -->
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2022.
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2025.
- If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps).

4
windows/client-management/mdm/policy-csp-admx-startmenu.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_StartMenu Policy CSP
description: Learn more about the ADMX_StartMenu Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -997,7 +997,7 @@ This policy setting allows you to prevent users from changing their Start screen
|:--|:--|
| Name | NoChangeStartMenu |
| Friendly Name | Prevent users from customizing their Start Screen |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Registry Value Name | NoChangeStartMenu |

12
windows/client-management/mdm/policy-csp-admx-taskbar.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Taskbar Policy CSP
description: Learn more about the ADMX_Taskbar Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -69,7 +69,7 @@ A reboot is required for this policy setting to take effect.
|:--|:--|
| Name | DisableNotificationCenter |
| Friendly Name | Remove Notifications and Action Center |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | DisableNotificationCenter |
@ -748,11 +748,11 @@ This policy setting allows you to turn off automatic promotion of notification i
<!-- ShowWindowsStoreAppsOnTaskbar-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows users to see Windows Store apps on the taskbar.
This policy setting allows users to see packaged Microsoft Store apps on the taskbar.
- If you enable this policy setting, users will see Windows Store apps on the taskbar.
- If you enable this policy setting, users will see packaged Microsoft Store apps on the taskbar.
- If you disable this policy setting, users won't see Windows Store apps on the taskbar.
- If you disable this policy setting, users won't see packaged Microsoft Store apps on the taskbar.
- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it.
<!-- ShowWindowsStoreAppsOnTaskbar-Description-End -->
@ -778,7 +778,7 @@ This policy setting allows users to see Windows Store apps on the taskbar.
| Name | Value |
|:--|:--|
| Name | ShowWindowsStoreAppsOnTaskbar |
| Friendly Name | Show Windows Store apps on the taskbar |
| Friendly Name | Show packaged Microsoft Store apps on the taskbar |
| Location | User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |

4
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_TerminalServer Policy CSP
description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -3585,7 +3585,7 @@ This policy setting allows you to specify which protocols can be used for Remote
- If you enable this policy setting, you must specify if you would like RDP to use UDP.
You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)".
You can select one of the following options: "Use either UDP or TCP (default)" or "Use only TCP".
If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP.

11
windows/client-management/mdm/policy-csp-admx-thumbnails.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Thumbnails Policy CSP
description: Learn more about the ADMX_Thumbnails Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -95,11 +95,14 @@ File Explorer displays thumbnail images by default.
<!-- Description-Source-ADMX -->
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.
File Explorer displays thumbnail images on network folders by default.
File Explorer displays only icons and never displays thumbnail images on network folders by default.
- If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
- If you disable this policy setting, File Explorer displays thumbnail images on network folders.
- If you disable or don't configure this policy setting, File Explorer displays only thumbnail images on network folders.
- If you enable or don't configure this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
> [!NOTE]
> Allowing the use of thumbnail images from network folders can expose the users' computers to security risks.
<!-- DisableThumbnailsOnNetworkFolders-Description-End -->
<!-- DisableThumbnailsOnNetworkFolders-Editable-Begin -->

18
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_WindowsExplorer Policy CSP
description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -472,7 +472,15 @@ You can specify a known folder using its known folder id or using its canonical
<!-- DisableMotWOnInsecurePathCopy-OmaUri-End -->
<!-- DisableMotWOnInsecurePathCopy-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting determines the application of the Mark of the Web tag to files sourced from insecure locations.
- If you enable this policy setting, files copied from unsecure sources won't be tagged with the Mark of the Web.
- If you disable or don't configure this policy setting, files copied from unsecure sources will be tagged with the appropriate Mark of the Web.
> [!NOTE]
> Failure to tag files from unsecure sources with the Mark of the Web can expose users' computers to security risks.
<!-- DisableMotWOnInsecurePathCopy-Description-End -->
<!-- DisableMotWOnInsecurePathCopy-Editable-Begin -->
@ -489,7 +497,6 @@ You can specify a known folder using its known folder id or using its canonical
<!-- DisableMotWOnInsecurePathCopy-DFProperties-End -->
<!-- DisableMotWOnInsecurePathCopy-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -497,6 +504,11 @@ You can specify a known folder using its known folder id or using its canonical
| Name | Value |
|:--|:--|
| Name | DisableMotWOnInsecurePathCopy |
| Friendly Name | Do not apply the Mark of the Web tag to files copied from insecure sources |
| Location | Computer Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | DisableMotWOnInsecurePathCopy |
| ADMX File Name | WindowsExplorer.admx |
<!-- DisableMotWOnInsecurePathCopy-AdmxBacked-End -->

4
windows/client-management/mdm/policy-csp-admx-wpn.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_WPN Policy CSP
description: Learn more about the ADMX_WPN Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -254,7 +254,7 @@ No reboots or service restarts are required for this policy setting to take effe
|:--|:--|
| Name | NoToastNotification |
| Friendly Name | Turn off toast notifications |
| Location | User Configuration |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar > Notifications |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications |
| Registry Value Name | NoToastApplicationNotification |

100
windows/client-management/mdm/policy-csp-appdeviceinventory.md
View File

@ -1,7 +1,7 @@
---
title: AppDeviceInventory Policy CSP
description: Learn more about the AppDeviceInventory Area in Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -33,7 +33,12 @@ ms.date: 08/07/2024
<!-- TurnOffAPISamping-OmaUri-End -->
<!-- TurnOffAPISamping-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the state of API Sampling. API Sampling monitors the sampled collection of application programming interfaces used during system runtime to help diagnose compatibility problems.
- If you enable this policy, API Sampling won't be run.
- If you disable or don't configure this policy, API Sampling will be turned on.
<!-- TurnOffAPISamping-Description-End -->
<!-- TurnOffAPISamping-Editable-Begin -->
@ -50,7 +55,6 @@ ms.date: 08/07/2024
<!-- TurnOffAPISamping-DFProperties-End -->
<!-- TurnOffAPISamping-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -58,6 +62,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffAPISamping |
| Friendly Name | Turn off API Sampling |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableAPISamping |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffAPISamping-AdmxBacked-End -->
@ -83,7 +92,12 @@ ms.date: 08/07/2024
<!-- TurnOffApplicationFootprint-OmaUri-End -->
<!-- TurnOffApplicationFootprint-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the state of Application Footprint. Application Footprint monitors the sampled collection of registry and file usage to help diagnose compatibility problems.
- If you enable this policy, Application Footprint won't be run.
- If you disable or don't configure this policy, Application Footprint will be turned on.
<!-- TurnOffApplicationFootprint-Description-End -->
<!-- TurnOffApplicationFootprint-Editable-Begin -->
@ -100,7 +114,6 @@ ms.date: 08/07/2024
<!-- TurnOffApplicationFootprint-DFProperties-End -->
<!-- TurnOffApplicationFootprint-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -108,6 +121,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffApplicationFootprint |
| Friendly Name | Turn off Application Footprint |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableApplicationFootprint |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffApplicationFootprint-AdmxBacked-End -->
@ -133,7 +151,12 @@ ms.date: 08/07/2024
<!-- TurnOffInstallTracing-OmaUri-End -->
<!-- TurnOffInstallTracing-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the state of Install Tracing. Install Tracing is a mechanism that tracks application installs to help diagnose compatibility problems.
- If you enable this policy, Install Tracing won't be run.
- If you disable or don't configure this policy, Install Tracing will be turned on.
<!-- TurnOffInstallTracing-Description-End -->
<!-- TurnOffInstallTracing-Editable-Begin -->
@ -150,7 +173,6 @@ ms.date: 08/07/2024
<!-- TurnOffInstallTracing-DFProperties-End -->
<!-- TurnOffInstallTracing-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -158,6 +180,11 @@ ms.date: 08/07/2024
| Name | Value |
|:--|:--|
| Name | TurnOffInstallTracing |
| Friendly Name | Turn off Install Tracing |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableInstallTracing |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffInstallTracing-AdmxBacked-End -->
@ -167,6 +194,65 @@ ms.date: 08/07/2024
<!-- TurnOffInstallTracing-End -->
<!-- TurnOffWin32AppBackup-Begin -->
## TurnOffWin32AppBackup
<!-- TurnOffWin32AppBackup-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- TurnOffWin32AppBackup-Applicability-End -->
<!-- TurnOffWin32AppBackup-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/AppDeviceInventory/TurnOffWin32AppBackup
```
<!-- TurnOffWin32AppBackup-OmaUri-End -->
<!-- TurnOffWin32AppBackup-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the state of the compatibility scan for backed up applications. The compatibility scan for backed up applications evaluates for compatibility problems in installed applications.
- If you enable this policy, the compatibility scan for backed up applications won't be run.
- If you disable or don't configure this policy, the compatibility scan for backed up applications will be run.
<!-- TurnOffWin32AppBackup-Description-End -->
<!-- TurnOffWin32AppBackup-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TurnOffWin32AppBackup-Editable-End -->
<!-- TurnOffWin32AppBackup-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- TurnOffWin32AppBackup-DFProperties-End -->
<!-- TurnOffWin32AppBackup-AdmxBacked-Begin -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | TurnOffWin32AppBackup |
| Friendly Name | Turn off compatibility scan for backed up applications |
| Location | Computer Configuration |
| Path | Windows Components > App and Device Inventory |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
| Registry Value Name | DisableWin32AppBackup |
| ADMX File Name | AppDeviceInventory.admx |
<!-- TurnOffWin32AppBackup-AdmxBacked-End -->
<!-- TurnOffWin32AppBackup-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TurnOffWin32AppBackup-Examples-End -->
<!-- TurnOffWin32AppBackup-End -->
<!-- AppDeviceInventory-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- AppDeviceInventory-CspMoreInfo-End -->

7
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationDefaults Policy CSP
description: Learn more about the ApplicationDefaults Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/11/2024
---
<!-- Auto-Generated CSP Document -->
@ -31,13 +31,12 @@ ms.date: 01/18/2024
<!-- DefaultAssociationsConfiguration-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Microsoft Entra joined, the associations assigned in SyncML will be processed and default associations will be applied.
> [!NOTE]
> For this policy, MDM policy take precedence over group policies even when [MDMWinsOverGP](policy-csp-controlpolicyconflict.md#mdmwinsovergp) policy is not set.
<!-- DefaultAssociationsConfiguration-Description-End -->
<!-- DefaultAssociationsConfiguration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> For this policy, MDM policy take precedence over group policies even when [MDMWinsOverGP](policy-csp-controlpolicyconflict.md#mdmwinsovergp) policy is not set.
<!-- DefaultAssociationsConfiguration-Editable-End -->
<!-- DefaultAssociationsConfiguration-DFProperties-Begin -->

10
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -30,11 +30,11 @@ ms.date: 04/10/2024
<!-- AllowAllTrustedApps-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.
This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed packaged Microsoft Store apps.
- If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
- If you enable this policy setting, you can install any LOB or developer-signed packaged Microsoft Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
- If you disable or don't configure this policy setting, you can't install LOB or developer-signed Windows Store apps.
- If you disable or don't configure this policy setting, you can't install LOB or developer-signed packaged Microsoft Store apps.
<!-- AllowAllTrustedApps-Description-End -->
<!-- AllowAllTrustedApps-Editable-Begin -->
@ -269,7 +269,7 @@ Allows or denies development of Microsoft Store applications and installing them
| Name | Value |
|:--|:--|
| Name | AllowDevelopmentWithoutDevLicense |
| Friendly Name | Allows development of Windows Store apps and installing them from an integrated development environment (IDE) |
| Friendly Name | Allows development of packaged Microsoft Store apps and installing them from an integrated development environment (IDE) |
| Location | Computer Configuration |
| Path | Windows Components > App Package Deployment |
| Registry Key Name | Software\Policies\Microsoft\Windows\Appx |

6
windows/client-management/mdm/policy-csp-appruntime.md
View File

@ -1,7 +1,7 @@
---
title: AppRuntime Policy CSP
description: Learn more about the AppRuntime Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,9 +32,9 @@ ms.date: 01/18/2024
<!-- AllowMicrosoftAccountsToBeOptional-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
This policy setting lets you control whether Microsoft accounts are optional for packaged Microsoft Store apps that require an account to sign in. This policy only affects packaged Microsoft Store apps that support it.
- If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
- If you enable this policy setting, packaged Microsoft Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
- If you disable or don't configure this policy setting, users will need to sign in with a Microsoft account.
<!-- AllowMicrosoftAccountsToBeOptional-Description-End -->

5
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -1,7 +1,7 @@
---
title: AppVirtualization Policy CSP
description: Learn more about the AppVirtualization Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -33,6 +33,9 @@ ms.date: 01/18/2024
<!-- AllowAppVClient-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
> [!NOTE]
> Application Virtualization (App-V) will reach end-of-life April 2026. After that time, the App-V client will be excluded from new versions of the Windows operating system. See aka.ms/AppVDeprecation for more information.
<!-- AllowAppVClient-Description-End -->
<!-- AllowAppVClient-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-audit.md
View File

@ -1,7 +1,7 @@
---
title: Audit Policy CSP
description: Learn more about the Audit Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 10/10/2024
---
<!-- Auto-Generated CSP Document -->
@ -846,7 +846,7 @@ Volume: Low.
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged-on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697).
This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged-on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-End -->
<!-- AccountLogonLogoff_AuditSpecialLogon-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-browser.md
View File

@ -1,7 +1,7 @@
---
title: Browser Policy CSP
description: Learn more about the Browser Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/11/2024
---
<!-- Auto-Generated CSP Document -->
@ -3364,9 +3364,7 @@ You can define a list of extensions in Microsoft Edge that users cannot turn off
Related Documents:
- [Find a package family name (PFN) for per-app VPN](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
- [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy)
- [Manage apps from the Microsoft Store for Business and Education with Configuration Manager](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows)
<!-- PreventTurningOffRequiredExtensions-Editable-End -->

16
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -1,7 +1,7 @@
---
title: Cryptography Policy CSP
description: Learn more about the Cryptography Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- Cryptography-Begin -->
# Policy CSP - Cryptography
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Cryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Cryptography-Editable-End -->
@ -79,7 +77,7 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<!-- ConfigureEllipticCurveCryptography-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureEllipticCurveCryptography-Applicability-End -->
<!-- ConfigureEllipticCurveCryptography-OmaUri-Begin -->
@ -146,7 +144,7 @@ CertUtil.exe -DisplayEccCurve.
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-Begin -->
@ -196,7 +194,7 @@ System cryptography: Force strong key protection for user keys stored on the com
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-Begin -->
@ -235,7 +233,7 @@ Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-Begin -->
@ -274,7 +272,7 @@ Override minimal enabled TLS version for server role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-Begin -->
@ -313,7 +311,7 @@ Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-defender.md
View File

@ -1,7 +1,7 @@
---
title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -745,7 +745,7 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
| Name | Value |
|:--|:--|
| Name | Scan_DisableScanningNetworkFiles |
| Friendly Name | Scan network files |
| Friendly Name | Configure scanning of network files |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |

74
windows/client-management/mdm/policy-csp-desktopappinstaller.md
View File

@ -1,7 +1,7 @@
---
title: DesktopAppInstaller Policy CSP
description: Learn more about the DesktopAppInstaller Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- DesktopAppInstaller-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DesktopAppInstaller-Editable-End -->
@ -215,7 +213,14 @@ Users will still be able to execute the *winget* command. The default help will
<!-- EnableBypassCertificatePinningForMicrosoftStore-OmaUri-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls whether the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate hash matches to a known Microsoft Store certificate when initiating a connection to the Microsoft Store Source.
- If you enable this policy, the [Windows Package Manager](/windows/package-manager/) will bypass the Microsoft Store certificate validation.
- If you disable this policy, the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate used is valid and belongs to the Microsoft Store before communicating with the Microsoft Store source.
- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
<!-- EnableBypassCertificatePinningForMicrosoftStore-Description-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Editable-Begin -->
@ -232,7 +237,6 @@ Users will still be able to execute the *winget* command. The default help will
<!-- EnableBypassCertificatePinningForMicrosoftStore-DFProperties-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -240,6 +244,11 @@ Users will still be able to execute the *winget* command. The default help will
| Name | Value |
|:--|:--|
| Name | EnableBypassCertificatePinningForMicrosoftStore |
| Friendly Name | Enable App Installer Microsoft Store Source Certificate Validation Bypass |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableBypassCertificatePinningForMicrosoftStore |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-End -->
@ -445,7 +454,14 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
<!-- EnableLocalArchiveMalwareScanOverride-OmaUri-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls the ability to override malware vulnerability scans when installing an archive file using a local manifest using the command line arguments.
- If you enable this policy, users can override the malware scan when performing a local manifest install of an archive file.
- If you disable this policy, users will be unable to override the malware scan of an archive file when installing using a local manifest.
- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
<!-- EnableLocalArchiveMalwareScanOverride-Description-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Editable-Begin -->
@ -462,7 +478,6 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
<!-- EnableLocalArchiveMalwareScanOverride-DFProperties-End -->
<!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -470,6 +485,11 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
| Name | Value |
|:--|:--|
| Name | EnableLocalArchiveMalwareScanOverride |
| Friendly Name | Enable App Installer Local Archive Malware Scan Override |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableLocalArchiveMalwareScanOverride |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-End -->
@ -618,9 +638,9 @@ This policy controls the Microsoft Store source included with the [Windows Packa
<!-- Description-Source-ADMX -->
This policy controls whether users can install packages from a website that's using the ms-appinstaller protocol.
- If you enable or don't configure this setting, users will be able to install packages from websites that use this protocol.
- If you enable this setting, users will be able to install packages from websites that use this protocol.
- If you disable this setting, users won't be able to install packages from websites that use this protocol.
- If you disable or don't configure this setting, users won't be able to install packages from websites that use this protocol.
<!-- EnableMSAppInstallerProtocol-Description-End -->
<!-- EnableMSAppInstallerProtocol-Editable-Begin -->
@ -724,7 +744,7 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-Begin -->
@ -734,7 +754,14 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy determines if a user can perform an action using the [Windows Package Manager](/windows/package-manager/) through a command line interface (WinGet CLI, or WinGet PowerShell).
If you disable this policy, users won't be able execute the [Windows Package Manager](/windows/package-manager/) CLI, and PowerShell cmdlets.
If you enable, or don't configuring this policy, users will be able to execute the [Windows Package Manager](/windows/package-manager/) CLI commands, and PowerShell cmdlets. (Provided "Enable App Installer" policy isn't disabled).
This policy doesn't override the "Enable App Installer" policy.
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-Begin -->
@ -751,7 +778,6 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-End -->
<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -759,6 +785,11 @@ The settings are stored inside of a .json file on the users system. It may be
| Name | Value |
|:--|:--|
| Name | EnableWindowsPackageManagerCommandLineInterfaces |
| Friendly Name | Enable Windows Package Manager command line interfaces |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableWindowsPackageManagerCommandLineInterfaces |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-End -->
@ -774,7 +805,7 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableWindowsPackageManagerConfiguration-Applicability-End -->
<!-- EnableWindowsPackageManagerConfiguration-OmaUri-Begin -->
@ -784,7 +815,12 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerConfiguration-OmaUri-End -->
<!-- EnableWindowsPackageManagerConfiguration-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy controls whether the [Windows Package Manager](/windows/package-manager/) configuration feature can be used by users.
- If you enable or don't configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
- If you disable this setting, users won't be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
<!-- EnableWindowsPackageManagerConfiguration-Description-End -->
<!-- EnableWindowsPackageManagerConfiguration-Editable-Begin -->
@ -801,7 +837,6 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerConfiguration-DFProperties-End -->
<!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -809,6 +844,11 @@ The settings are stored inside of a .json file on the users system. It may be
| Name | Value |
|:--|:--|
| Name | EnableWindowsPackageManagerConfiguration |
| Friendly Name | Enable Windows Package Manager Configuration |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableWindowsPackageManagerConfiguration |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-End -->
@ -835,9 +875,9 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- SourceAutoUpdateInterval-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the auto update interval for package-based sources.
This policy controls the auto-update interval for package-based sources. The default source for [Windows Package Manager](/windows/package-manager/) is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed.
- If you disable or don't configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/).
- If you disable or don't configure this setting, the default interval or the value specified in the [Windows Package Manager](/windows/package-manager/) settings will be used.
- If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/).
<!-- SourceAutoUpdateInterval-Description-End -->

22
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -1,7 +1,7 @@
---
title: DeviceLock Policy CSP
description: Learn more about the DeviceLock Area in Policy CSP.
ms.date: 08/05/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 08/05/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- DeviceLock-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
@ -25,7 +23,7 @@ ms.date: 08/05/2024
<!-- AccountLockoutPolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AccountLockoutPolicy-Applicability-End -->
<!-- AccountLockoutPolicy-OmaUri-Begin -->
@ -64,7 +62,7 @@ Account lockout threshold - This security setting determines the number of faile
<!-- AllowAdministratorLockout-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowAdministratorLockout-Applicability-End -->
<!-- AllowAdministratorLockout-OmaUri-Begin -->
@ -329,7 +327,7 @@ Determines the type of PIN or password required. This policy only applies if the
<!-- ClearTextPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ClearTextPassword-Applicability-End -->
<!-- ClearTextPassword-OmaUri-Begin -->
@ -685,7 +683,7 @@ The number of authentication failures allowed before the device will be wiped. A
<!-- MaximumPasswordAge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MaximumPasswordAge-Applicability-End -->
<!-- MaximumPasswordAge-OmaUri-Begin -->
@ -1025,7 +1023,7 @@ This security setting determines the period of time (in days) that a password mu
<!-- MinimumPasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MinimumPasswordLength-Applicability-End -->
<!-- MinimumPasswordLength-OmaUri-Begin -->
@ -1078,7 +1076,7 @@ This security setting determines the least number of characters that a password
<!-- MinimumPasswordLengthAudit-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MinimumPasswordLengthAudit-Applicability-End -->
<!-- MinimumPasswordLengthAudit-OmaUri-Begin -->
@ -1128,7 +1126,7 @@ This security setting determines the minimum password length for which password
<!-- PasswordComplexity-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- PasswordComplexity-Applicability-End -->
<!-- PasswordComplexity-OmaUri-Begin -->
@ -1188,7 +1186,7 @@ Complexity requirements are enforced when passwords are changed or created.
<!-- PasswordHistorySize-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- PasswordHistorySize-Applicability-End -->
<!-- PasswordHistorySize-OmaUri-Begin -->
@ -1360,7 +1358,7 @@ If you enable this setting, users will no longer be able to modify slide show se
<!-- RelaxMinimumPasswordLengthLimits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- RelaxMinimumPasswordLengthLimits-Applicability-End -->
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-Begin -->

19
windows/client-management/mdm/policy-csp-experience.md
View File

@ -1,7 +1,7 @@
---
title: Experience Policy CSP
description: Learn more about the Experience Area in Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 08/07/2024
<!-- Experience-Begin -->
# Policy CSP - Experience
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Experience-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Experience-Editable-End -->
@ -484,7 +482,7 @@ Allow screen capture.
<!-- AllowScreenRecorder-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowScreenRecorder-Applicability-End -->
<!-- AllowScreenRecorder-OmaUri-Begin -->
@ -494,7 +492,7 @@ Allow screen capture.
<!-- AllowScreenRecorder-OmaUri-End -->
<!-- AllowScreenRecorder-Description-Begin -->
<!-- Description-Source-DDF -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether screen recording functionality is available in the Windows Snipping Tool app.
- If you disable this policy setting, screen recording functionality won't be accessible in the Windows Snipping Tool app.
@ -531,7 +529,12 @@ This policy setting allows you to control whether screen recording functionality
| Name | Value |
|:--|:--|
| Name | AllowScreenRecorder |
| Path | Programs > AT > WindowsComponents > SnippingTool |
| Friendly Name | Allow Screen Recorder |
| Location | User Configuration |
| Path | Windows Components > Snipping Tool |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\SnippingTool |
| Registry Value Name | AllowScreenRecorder |
| ADMX File Name | Programs.admx |
<!-- AllowScreenRecorder-GpMapping-End -->
<!-- AllowScreenRecorder-Examples-Begin -->
@ -1681,7 +1684,7 @@ This policy setting lets you turn off cloud consumer account state content in al
<!-- DisableTextTranslation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableTextTranslation-Applicability-End -->
<!-- DisableTextTranslation-OmaUri-Begin -->
@ -1887,7 +1890,7 @@ _**Turn syncing off by default but dont disable**_
<!-- EnableOrganizationalMessages-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4828] and later <br> ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later <br> ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 with [KB5041582](https://support.microsoft.com/help/5041582) [10.0.19045.4842] and later <br> ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableOrganizationalMessages-Applicability-End -->
<!-- EnableOrganizationalMessages-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-fileexplorer.md
View File

@ -1,7 +1,7 @@
---
title: FileExplorer Policy CSP
description: Learn more about the FileExplorer Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -138,7 +138,7 @@ When This PC location is restricted, give the user the option to enumerate and n
<!-- DisableGraphRecentItems-Description-Begin -->
<!-- Description-Source-ADMX -->
Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, etc.
Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, Details pane, etc.
<!-- DisableGraphRecentItems-Description-End -->
<!-- DisableGraphRecentItems-Editable-Begin -->

12
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -1,7 +1,7 @@
---
title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- HumanPresence-Begin -->
# Policy CSP - HumanPresence
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- HumanPresence-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HumanPresence-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 01/18/2024
<!-- ForceAllowDimWhenExternalDisplayConnected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceAllowDimWhenExternalDisplayConnected-Applicability-End -->
<!-- ForceAllowDimWhenExternalDisplayConnected-OmaUri-Begin -->
@ -85,7 +83,7 @@ Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forc
<!-- ForceAllowLockWhenExternalDisplayConnected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceAllowLockWhenExternalDisplayConnected-Applicability-End -->
<!-- ForceAllowLockWhenExternalDisplayConnected-OmaUri-Begin -->
@ -149,7 +147,7 @@ Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced
<!-- ForceAllowWakeWhenExternalDisplayConnected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceAllowWakeWhenExternalDisplayConnected-Applicability-End -->
<!-- ForceAllowWakeWhenExternalDisplayConnected-OmaUri-Begin -->
@ -213,7 +211,7 @@ Determines whether Allow Wake on Approach When External Display Connected checkb
<!-- ForceDisableWakeWhenBatterySaverOn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ForceDisableWakeWhenBatterySaverOn-Applicability-End -->
<!-- ForceDisableWakeWhenBatterySaverOn-OmaUri-Begin -->

25
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -1,7 +1,7 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1005,7 +1005,12 @@ Note. It's recommended to configure template policy settings in one Group Policy
<!-- AllowLegacyURLFields-OmaUri-End -->
<!-- AllowLegacyURLFields-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows the use of some disabled functionality, such as WorkingDirectory field or pluggable protocol handling, in Internet Shortcut files.
If you enable this policy, disabled functionality for Internet Shortcut files will be re-enabled.
If you disable, or don't configure this policy, some functionality for Internet Shortcut files, such as WorkingDirectory field or pluggable protocol handling, will be disabled.
<!-- AllowLegacyURLFields-Description-End -->
<!-- AllowLegacyURLFields-Editable-Begin -->
@ -1022,7 +1027,6 @@ Note. It's recommended to configure template policy settings in one Group Policy
<!-- AllowLegacyURLFields-DFProperties-End -->
<!-- AllowLegacyURLFields-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -1030,6 +1034,11 @@ Note. It's recommended to configure template policy settings in one Group Policy
| Name | Value |
|:--|:--|
| Name | AllowLegacyURLFields |
| Friendly Name | Allow legacy functionality for Internet Shortcut files |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
| Registry Value Name | AllowLegacyURLFields |
| ADMX File Name | inetres.admx |
<!-- AllowLegacyURLFields-AdmxBacked-End -->
@ -7923,13 +7932,11 @@ This policy setting allows you to manage the opening of windows and frames and a
<!-- JScriptReplacement-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC/MSXML/Cscript based invocations.
This policy setting specifies whether JScript or JScript9Legacy is loaded.
- If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated.
- If you enable this policy setting or not configured, JScript9Legacy will be loaded in situations where JScript is instantiated.
- If you disable this policy, then JScript will be utilized.
- If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSXML/Cscript will use JScript.
<!-- JScriptReplacement-Description-End -->
<!-- JScriptReplacement-Editable-Begin -->
@ -7953,7 +7960,7 @@ This policy setting specifies whether JScript or JScript9Legacy is loaded for MS
| Name | Value |
|:--|:--|
| Name | JScriptReplacement |
| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC. |
| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript. |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
@ -13407,7 +13414,7 @@ If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode
If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.
For more information, see <https://go.microsoft.com/fwlink/?linkid=2102115>
For more information, see <https://go.microsoft.com/fwlink/?linkid=2220107>
<!-- ResetZoomForDialogInIEMode-Description-End -->
<!-- ResetZoomForDialogInIEMode-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-lanmanworkstation.md
View File

@ -1,7 +1,7 @@
---
title: LanmanWorkstation Policy CSP
description: Learn more about the LanmanWorkstation Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -36,6 +36,8 @@ This policy setting determines if the SMB client will allow insecure guest logon
- If you disable this policy setting, the SMB client will reject insecure guest logons.
If you enable signing, the SMB client will reject insecure guest logons.
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access".
<!-- EnableInsecureGuestLogons-Description-End -->

383
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -1,7 +1,7 @@
---
title: LocalPoliciesSecurityOptions Policy CSP
description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -96,7 +96,7 @@ This policy setting prevents users from adding new Microsoft accounts on this co
This security setting determines whether the local Administrator account is enabled or disabled.
> [!NOTE]
> If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password doesn't meet the password requirements, you can't reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator won't be enabled. Default: Disabled.
> If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password doesn't meet the password requirements, you can't reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator won't be enabled.
<!-- Accounts_EnableAdministratorAccountStatus-Description-End -->
<!-- Accounts_EnableAdministratorAccountStatus-Editable-Begin -->
@ -154,10 +154,7 @@ This security setting determines whether the local Administrator account is enab
<!-- Accounts_EnableGuestAccountStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines if the Guest account is enabled or disabled. Default: Disabled.
> [!NOTE]
> If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
This security setting determines if the Guest account is enabled or disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
<!-- Accounts_EnableGuestAccountStatus-Description-End -->
<!-- Accounts_EnableGuestAccountStatus-Editable-Begin -->
@ -215,10 +212,7 @@ This security setting determines if the Guest account is enabled or disabled. De
<!-- Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly-Description-Begin -->
<!-- Description-Source-DDF -->
Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that aren't password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to log on at the computer's keyboard. Default: Enabled.
> [!WARNING]
> Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that doesn't have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that aren't password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to log on at the computer's keyboard. Warning: Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that doesn't have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
> [!NOTE]
> This setting doesn't affect logons that use domain accounts. It's possible for applications that use remote interactive logons to bypass this setting.
@ -366,7 +360,7 @@ Accounts: Rename guest account This security setting determines whether a differ
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-End -->
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-Begin -->
@ -380,7 +374,7 @@ Accounts: Rename guest account This security setting determines whether a differ
Audit: Audit the use of Backup and Restore privilege This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that's backed up or restored. If you disable this policy, then use of the Backup or Restore privilege isn't audited even when Audit privilege use is enabled.
> [!NOTE]
> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation. Default: Disabled.
> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation.
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Description-End -->
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Editable-Begin -->
@ -410,7 +404,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-End -->
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-Begin -->
@ -451,7 +445,7 @@ Audit: Force audit policy subcategory settings (Windows Vista or later) to overr
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-End -->
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-Begin -->
@ -465,7 +459,7 @@ Audit: Force audit policy subcategory settings (Windows Vista or later) to overr
Audit: Shut down system immediately if unable to log security audits This security setting determines whether the system shuts down if it's unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit can't be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that's specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry can't be overwritten, and this security option is enabled, the following Stop error appears: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log isn't full.
> [!NOTE]
> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows.
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Description-End -->
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Editable-Begin -->
@ -555,7 +549,11 @@ Devices: Allowed to format and eject removable media This security setting deter
<!-- Devices_AllowUndockWithoutHavingToLogon-Description-Begin -->
<!-- Description-Source-DDF -->
Devices: Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon isn't required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled.
Devices: Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on.
- If this policy is enabled, logon isn't required and an external hardware eject button can be used to undock the computer.
- If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
> [!CAUTION]
> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
@ -678,7 +676,11 @@ Devices: Prevent users from installing printer drivers when connecting to shared
<!-- Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly-Description-Begin -->
<!-- Description-Source-DDF -->
Devices: Restrict CD-ROM access to locally logged-on user only This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged-on interactively, the CD-ROM can be accessed over the network. Default: This policy isn't defined and CD-ROM access isn't restricted to the locally logged-on user.
Devices: Restrict CD-ROM access to locally logged-on user only This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
- If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media.
- If this policy is enabled and no one is logged-on interactively, the CD-ROM can be accessed over the network. Default: This policy isn't defined and CD-ROM access isn't restricted to the locally logged-on user.
<!-- Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly-Description-End -->
<!-- Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly-Editable-Begin -->
@ -716,7 +718,7 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-End -->
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-Begin -->
@ -727,7 +729,11 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Description-Begin -->
<!-- Description-Source-DDF -->
Devices: Restrict floppy access to locally logged-on user only This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media. If this policy is enabled and no one is logged-on interactively, the floppy can be accessed over the network. Default: This policy isn't defined and floppy disk drive access isn't restricted to the locally logged-on user.
Devices: Restrict floppy access to locally logged-on user only This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously.
- If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media.
- If this policy is enabled and no one is logged-on interactively, the floppy can be accessed over the network. Default: This policy isn't defined and floppy disk drive access isn't restricted to the locally logged-on user.
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Description-End -->
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Editable-Begin -->
@ -765,7 +771,7 @@ Devices: Restrict floppy access to locally logged-on user only This security set
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-End -->
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-Begin -->
@ -776,10 +782,11 @@ Devices: Restrict floppy access to locally logged-on user only This security set
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Description-Begin -->
<!-- Description-Source-DDF -->
Domain member: Digitally encrypt or sign secure channel data (always) This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel won't be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Default: Enabled.
Domain member: Digitally encrypt or sign secure channel data (always) This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
> [!NOTE]
> If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
- If this policy is enabled, then the secure channel won't be established unless either signing or encryption of all secure channel traffic is negotiated.
- If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Notes: If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Description-End -->
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Editable-Begin -->
@ -818,7 +825,7 @@ Domain member: Digitally encrypt or sign secure channel data (always) This secur
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -829,10 +836,7 @@ Domain member: Digitally encrypt or sign secure channel data (always) This secur
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Description-Begin -->
<!-- Description-Source-DDF -->
Domain member: Digitally encrypt secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member won't attempt to negotiate secure channel encryption. Default: Enabled.
> [!IMPORTANT]
> There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
Domain member: Digitally encrypt secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member won't attempt to negotiate secure channel encryption. Important There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
> [!NOTE]
> Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
@ -874,7 +878,7 @@ Domain member: Digitally encrypt secure channel data (when possible) This securi
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -885,7 +889,7 @@ Domain member: Digitally encrypt secure channel data (when possible) This securi
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Description-Begin -->
<!-- Description-Source-DDF -->
Domain member: Digitally sign secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it can't be tampered with in transit. Default: Enabled.
Domain member: Digitally sign secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it can't be tampered with in transit.
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Description-End -->
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Editable-Begin -->
@ -924,7 +928,7 @@ Domain member: Digitally sign secure channel data (when possible) This security
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-End -->
<!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-Begin -->
@ -939,10 +943,7 @@ Domain member: Disable machine account password changes Determines whether a dom
- If this setting is enabled, the domain member doesn't attempt to change its computer account password.
- If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. Default: Disabled.
> [!NOTE]
> This security setting shouldn't be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it's established, the secure channel is used to transmit sensitive information that's necessary for making authentication and authorization decisions. This setting shouldn't be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
- If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. Notes This security setting shouldn't be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it's established, the secure channel is used to transmit sensitive information that's necessary for making authentication and authorization decisions. This setting shouldn't be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
<!-- DomainMember_DisableMachineAccountPasswordChanges-Description-End -->
<!-- DomainMember_DisableMachineAccountPasswordChanges-Editable-Begin -->
@ -981,7 +982,7 @@ Domain member: Disable machine account password changes Determines whether a dom
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-End -->
<!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-Begin -->
@ -1034,7 +1035,7 @@ Domain member: Maximum machine account password age This security setting determ
<!-- DomainMember_RequireStrongSessionKey-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DomainMember_RequireStrongSessionKey-Applicability-End -->
<!-- DomainMember_RequireStrongSessionKey-OmaUri-Begin -->
@ -1049,10 +1050,7 @@ Domain member: Require strong (Windows 2000 or later) session key This security
- If this setting is enabled, then the secure channel won't be established unless 128-bit encryption can be performed.
- If this setting is disabled, then the key strength is negotiated with the domain controller. Default: Enabled.
> [!IMPORTANT]
> In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
- If this setting is disabled, then the key strength is negotiated with the domain controller. Important In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
<!-- DomainMember_RequireStrongSessionKey-Description-End -->
<!-- DomainMember_RequireStrongSessionKey-Editable-Begin -->
@ -1162,7 +1160,11 @@ Interactive Logon:Display user information when the session is locked User displ
<!-- InteractiveLogon_DoNotDisplayLastSignedIn-Description-Begin -->
<!-- Description-Source-DDF -->
Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username won't be shown. If this policy is disabled, the username will be shown. Default: Disabled.
Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
- If this policy is enabled, the username won't be shown.
- If this policy is disabled, the username will be shown.
<!-- InteractiveLogon_DoNotDisplayLastSignedIn-Description-End -->
<!-- InteractiveLogon_DoNotDisplayLastSignedIn-Editable-Begin -->
@ -1220,7 +1222,11 @@ Interactive logon: Don't display last signed-in This security setting determines
<!-- InteractiveLogon_DoNotDisplayUsernameAtSignIn-Description-Begin -->
<!-- Description-Source-DDF -->
Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username won't be shown. If this policy is disabled, the username will be shown. Default: Disabled.
Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
- If this policy is enabled, the username won't be shown.
- If this policy is disabled, the username will be shown.
<!-- InteractiveLogon_DoNotDisplayUsernameAtSignIn-Description-End -->
<!-- InteractiveLogon_DoNotDisplayUsernameAtSignIn-Editable-Begin -->
@ -1278,7 +1284,11 @@ Interactive logon: Don't display username at sign-in This security setting deter
<!-- InteractiveLogon_DoNotRequireCTRLALTDEL-Description-Begin -->
<!-- Description-Source-DDF -->
Interactive logon: Don't require CTRL+ALT+DEL This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user isn't required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. Default on stand-alone computers: Enabled.
Interactive logon: Don't require CTRL+ALT+DEL This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
- If this policy is enabled on a computer, a user isn't required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
- If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. Default on stand-alone computers: Enabled.
<!-- InteractiveLogon_DoNotRequireCTRLALTDEL-Description-End -->
<!-- InteractiveLogon_DoNotRequireCTRLALTDEL-Editable-Begin -->
@ -1325,7 +1335,7 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-OmaUri-Begin -->
@ -1444,6 +1454,8 @@ Interactive logon: Message text for users attempting to log on This security set
<!-- InteractiveLogon_MessageTextForUsersAttemptingToLogOn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Windows Autopilot pre-provisioning doesn't work when this policy setting is enabled. For more information, see [Windows Autopilot troubleshooting FAQ](/autopilot/troubleshooting-faq#troubleshooting-policy-conflicts-with-windows-autopilot).
<!-- InteractiveLogon_MessageTextForUsersAttemptingToLogOn-Editable-End -->
<!-- InteractiveLogon_MessageTextForUsersAttemptingToLogOn-DFProperties-Begin -->
@ -1493,6 +1505,8 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_MessageTitleForUsersAttemptingToLogOn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Windows Autopilot pre-provisioning doesn't work when this policy setting is enabled. For more information, see [Windows Autopilot troubleshooting FAQ](/autopilot/troubleshooting-faq#troubleshooting-policy-conflicts-with-windows-autopilot).
<!-- InteractiveLogon_MessageTitleForUsersAttemptingToLogOn-Editable-End -->
<!-- InteractiveLogon_MessageTitleForUsersAttemptingToLogOn-DFProperties-Begin -->
@ -1525,7 +1539,7 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
@ -1565,7 +1579,7 @@ Interactive logon: Number of previous logons to cache (in case domain controller
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-End -->
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-Begin -->
@ -1684,10 +1698,7 @@ Microsoft network client: Digitally sign communications (always) This security s
- If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing.
- If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled.
> [!IMPORTANT]
> For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
- If this policy is disabled, SMB packet signing is negotiated between the client and server. Important For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
> [!NOTE]
> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
@ -1752,10 +1763,7 @@ Microsoft network client: Digitally sign communications (if server agrees) This
- If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated.
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled.
> [!NOTE]
> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
<!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Description-End -->
<!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Editable-Begin -->
@ -1813,7 +1821,7 @@ Microsoft network client: Digitally sign communications (if server agrees) This
<!-- MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers-Description-Begin -->
<!-- Description-Source-DDF -->
Microsoft network client: Send unencrypted password to connect to third-party SMB servers If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that don't support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled.
Microsoft network client: Send unencrypted password to connect to third-party SMB servers If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that don't support password encryption during authentication. Sending unencrypted passwords is a security risk.
<!-- MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers-Description-End -->
<!-- MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers-Editable-Begin -->
@ -1860,7 +1868,7 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-End -->
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-Begin -->
@ -1993,7 +2001,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
- If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated.
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled on domain controllers only.
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. on domain controllers only.
> [!IMPORTANT]
> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
@ -2043,7 +2051,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-End -->
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-Begin -->
@ -2054,7 +2062,9 @@ Microsoft network server: Digitally sign communications (if client agrees) This
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Description-Begin -->
<!-- Description-Source-DDF -->
Microsoft network server: Disconnect clients when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default on Windows Vista and above: Enabled. Default on Windows XP: Disabled.
Microsoft network server: Disconnect clients when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon hours expire.
- If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default on Windows Vista and above: Enabled. Default on Windows XP: Disabled.
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Description-End -->
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Editable-Begin -->
@ -2084,7 +2094,7 @@ Microsoft network server: Disconnect clients when logon hours expire This securi
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-End -->
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-Begin -->
@ -2125,7 +2135,7 @@ Microsoft network server: Server SPN target name validation level This policy se
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Applicability-End -->
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-OmaUri-Begin -->
@ -2259,7 +2269,7 @@ Network access: Don't allow anonymous enumeration of SAM accounts This security
<!-- NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares-Description-Begin -->
<!-- Description-Source-DDF -->
Network access: Don't allow anonymous enumeration of SAM accounts and shares This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. Default: Disabled.
Network access: Don't allow anonymous enumeration of SAM accounts and shares This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
<!-- NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares-Description-End -->
<!-- NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares-Editable-Begin -->
@ -2306,7 +2316,7 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-End -->
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-Begin -->
@ -2324,7 +2334,7 @@ Network access: Don't allow storage of passwords and credentials for network aut
- If you disable or don't configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication.
> [!NOTE]
> When configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
> When configuring this security setting, changes won't take effect until you restart Windows.
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Description-End -->
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Editable-Begin -->
@ -2354,7 +2364,7 @@ Network access: Don't allow storage of passwords and credentials for network aut
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-End -->
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-Begin -->
@ -2365,7 +2375,9 @@ Network access: Don't allow storage of passwords and credentials for network aut
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Description-Begin -->
<!-- Description-Source-DDF -->
Network access: Let Everyone permissions apply to anonymous users This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group don't apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission. If this policy is enabled, the Everyone SID is added to the token that's created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions. Default: Disabled.
Network access: Let Everyone permissions apply to anonymous users This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group don't apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission.
- If this policy is enabled, the Everyone SID is added to the token that's created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions.
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Description-End -->
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Editable-Begin -->
@ -2404,7 +2416,7 @@ Network access: Let Everyone permissions apply to anonymous users This security
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2444,7 +2456,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-Begin -->
@ -2487,7 +2499,7 @@ Network access: Remotely accessible registry paths This security setting determi
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-Begin -->
@ -2541,7 +2553,7 @@ Network access: Remotely accessible registry paths and subpaths This security se
<!-- NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares-Description-Begin -->
<!-- Description-Source-DDF -->
Network access: Restrict anonymous access to Named Pipes and Shares When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled.
Network access: Restrict anonymous access to Named Pipes and Shares When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously
<!-- NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares-Description-End -->
<!-- NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares-Editable-Begin -->
@ -2636,7 +2648,7 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2676,7 +2688,7 @@ Network access: Shares that can be accessed anonymously This security setting de
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-End -->
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-Begin -->
@ -2720,7 +2732,7 @@ Network access: Sharing and security model for local accounts This security sett
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-End -->
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-Begin -->
@ -2950,7 +2962,7 @@ Network security: Don't store LAN Manager hash value on next password change Thi
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Applicability-End -->
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-OmaUri-Begin -->
@ -2961,10 +2973,9 @@ Network security: Don't store LAN Manager hash value on next password change Thi
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Description-Begin -->
<!-- Description-Source-DDF -->
Network security: Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default: Enabled.
Network security: Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire.
> [!NOTE]
> This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it's enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings aren't applied to member computers.
- If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Note: This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it's enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings aren't applied to member computers.
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Description-End -->
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Editable-Begin -->
@ -3076,7 +3087,7 @@ Network security LAN Manager authentication level This security setting determin
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-End -->
<!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-Begin -->
@ -3482,7 +3493,7 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-End -->
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-Begin -->
@ -3532,7 +3543,7 @@ Recovery console: Allow automatic administrative logon This security setting det
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-End -->
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-Begin -->
@ -3642,7 +3653,7 @@ Shutdown: Allow system to be shut down without having to log on This security se
<!-- Shutdown_ClearVirtualMemoryPageFile-Description-Begin -->
<!-- Description-Source-DDF -->
Shutdown: Clear virtual memory pagefile This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they aren't used. On a running system, this pagefile is opened exclusively by the operating system, and it's well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile isn't available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. Default: Disabled.
Shutdown: Clear virtual memory pagefile This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they aren't used. On a running system, this pagefile is opened exclusively by the operating system, and it's well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile isn't available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
<!-- Shutdown_ClearVirtualMemoryPageFile-Description-End -->
<!-- Shutdown_ClearVirtualMemoryPageFile-Editable-Begin -->
@ -3689,7 +3700,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-End -->
<!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-Begin -->
@ -3730,7 +3741,7 @@ System Cryptography: Force strong key protection for user keys stored on the com
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-End -->
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-Begin -->
@ -3741,7 +3752,7 @@ System Cryptography: Force strong key protection for user keys stored on the com
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Description-Begin -->
<!-- Description-Source-DDF -->
System objects: Require case insensitivity for non-Windows subsystems This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting doesn't allow the Win32 subsystem to become case sensitive. Default: Enabled.
System objects: Require case insensitivity for non-Windows subsystems This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting doesn't allow the Win32 subsystem to become case sensitive.
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Description-End -->
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Editable-Begin -->
@ -3780,7 +3791,7 @@ System objects: Require case insensitivity for non-Windows subsystems This secur
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-End -->
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-Begin -->
@ -3791,7 +3802,9 @@ System objects: Require case insensitivity for non-Windows subsystems This secur
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Description-Begin -->
<!-- Description-Source-DDF -->
System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who aren't administrators to read shared objects but not allowing these users to modify shared objects that they didn't create. Default: Enabled.
System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted.
- If this policy is enabled, the default DACL is stronger, allowing users who aren't administrators to read shared objects but not allowing these users to modify shared objects that they didn't create.
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Description-End -->
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Editable-Begin -->
@ -3832,7 +3845,11 @@ System objects: Strengthen default permissions of internal system objects (e.g.,
<!-- UserAccountControl_AllowUIAccessApplicationsToPromptForElevation-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
- Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
- Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
<!-- UserAccountControl_AllowUIAccessApplicationsToPromptForElevation-Description-End -->
<!-- UserAccountControl_AllowUIAccessApplicationsToPromptForElevation-Editable-Begin -->
@ -3873,6 +3890,70 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou
<!-- UserAccountControl_AllowUIAccessApplicationsToPromptForElevation-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-Begin -->
## UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-Applicability-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection
```
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-OmaUri-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Behavior of the elevation prompt for administrators running with Administrator protection. This policy setting controls the behavior of the elevation prompt for administrators. The options are:
- Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged credentials. If the user enters valid credentials, the operation continues with the user's highest available privilege.
- Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Allow changes or Don't allow. If the user selects Allow changes, the operation continues with the user's highest available privilege.
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-Description-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> When Administrator protection is enabled, this policy overrides [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](#useraccountcontrol_behavioroftheelevationpromptforadministrators) policy.
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-Editable-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-DFProperties-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 (Default) | Prompt for credentials on the secure desktop. |
| 2 | Prompt for consent on the secure desktop. |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-AllowedValues-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | User Account Control: Behavior of the elevation prompt for administrators running with Administrator protection |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-GpMapping-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-Examples-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-Begin -->
## UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
@ -3890,14 +3971,28 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are:
> [!NOTE]
> Use this option only in the most constrained environments. - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
>[!NOTE]
> Use this option only in the most constrained environments.
- Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
- Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-Description-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> When Administrator protection is enabled, this policy behavior is overridden by [UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection](#useraccountcontrol_behavioroftheelevationpromptforadministratorprotection) policy.
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-Editable-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-DFProperties-Begin -->
@ -3938,64 +4033,6 @@ User Account Control: Behavior of the elevation prompt for administrators in Adm
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Begin -->
## UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Applicability-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators
```
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-OmaUri-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection. This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Description-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Editable-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 2 |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-DFProperties-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | Prompt for credentials on the secure desktop. |
| 2 (Default) | Prompt for consent on the secure desktop. |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-AllowedValues-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-GpMapping-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Examples-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers-Begin -->
## UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
@ -4013,7 +4050,13 @@ User Account Control: Behavior of the elevation prompt for administrators runnin
<!-- UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that's running desktops as standard user may choose this setting to reduce help desk calls. - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are:
- Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that's running desktops as standard user may choose this setting to reduce help desk calls.
- Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
<!-- UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers-Description-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers-Editable-Begin -->
@ -4130,7 +4173,11 @@ User Account Control: Detect application installations and prompt for elevation
<!-- UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Only elevate executable files that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are: - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run. - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
User Account Control: Only elevate executable files that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are:
- Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run.
- Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
<!-- UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated-Description-End -->
<!-- UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated-Editable-Begin -->
@ -4188,7 +4235,11 @@ User Account Control: Only elevate executable files that are signed and validate
<!-- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ..\Program Files\, including subfolders - ..\Windows\system32\ - ..\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ..\Program Files\, including subfolders - ..\Windows\system32\ - ..\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are:
- Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
- Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
<!-- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations-Description-End -->
<!-- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations-Editable-Begin -->
@ -4246,7 +4297,11 @@ User Account Control: Only elevate UIAccess applications that are installed in s
<!-- UserAccountControl_RunAllAdministratorsInAdminApprovalMode-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are:
- Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
- Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
> [!NOTE]
> If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
@ -4307,7 +4362,11 @@ User Account Control: Turn on Admin Approval Mode This policy setting controls t
<!-- UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are:
- Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
- Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
<!-- UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation-Description-End -->
<!-- UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation-Editable-Begin -->
@ -4365,7 +4424,7 @@ User Account Control: Switch to the secure desktop when prompting for elevation
<!-- UserAccountControl_TypeOfAdminApprovalMode-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Configure type of Admin Approval Mode. This policy setting controls whether enhanced privilege protection is applied to admin approval mode elevations. If you change this policy setting, you must restart your computer. This policy is only supported on Windows Desktop, not Server. The options are: - Admin Approval Mode is running in legacy mode (default). - Admin Approval Mode is running with enhanced privilege protection.
User Account Control: Configure type of Admin Approval Mode. This policy setting controls whether Administrator protection is applied to admin approval mode elevations. If you change this policy setting, you must restart your computer. This policy is only supported on Windows Desktop, not Server. The options are: - Admin Approval Mode is running in legacy mode (default). - Admin Approval Mode is running with Administrator protection.
<!-- UserAccountControl_TypeOfAdminApprovalMode-Description-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Editable-Begin -->
@ -4388,7 +4447,7 @@ User Account Control: Configure type of Admin Approval Mode. This policy setting
| Value | Description |
|:--|:--|
| 1 (Default) | Legacy Admin Approval Mode. |
| 2 | Admin Approval Mode with enhanced privilege protection. |
| 2 | Admin Approval Mode with Administrator protection. |
<!-- UserAccountControl_TypeOfAdminApprovalMode-AllowedValues-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-GpMapping-Begin -->
@ -4423,7 +4482,11 @@ User Account Control: Configure type of Admin Approval Mode. This policy setting
<!-- UserAccountControl_UseAdminApprovalMode-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
User Account Control: Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are:
- Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
- Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
<!-- UserAccountControl_UseAdminApprovalMode-Description-End -->
<!-- UserAccountControl_UseAdminApprovalMode-Editable-Begin -->
@ -4481,7 +4544,11 @@ User Account Control: Use Admin Approval Mode for the built-in Administrator acc
<!-- UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are: - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - Disabled: Applications that write data to protected locations fail.
User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are:
- Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
- Disabled: Applications that write data to protected locations fail.
<!-- UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations-Description-End -->
<!-- UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations-Editable-Begin -->

6
windows/client-management/mdm/policy-csp-lsa.md
View File

@ -1,7 +1,7 @@
---
title: LocalSecurityAuthority Policy CSP
description: Learn more about the LocalSecurityAuthority Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -93,7 +93,7 @@ This policy controls the configuration under which LSASS loads custom SSPs and A
<!-- Description-Source-ADMX -->
This policy controls the configuration under which LSASS is run.
- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for all clean installed, HVCI capable, client SKUs. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
- If you configure and set this policy setting to "Disabled", LSA won't run as a protected process.
@ -135,7 +135,7 @@ This policy controls the configuration under which LSASS is run.
| Friendly Name | Configures LSASS to run as a protected process |
| Location | Computer Configuration |
| Path | System > Local Security Authority |
| Registry Key Name | System\CurrentControlSet\Control\Lsa |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| ADMX File Name | LocalSecurityAuthority.admx |
<!-- ConfigureLsaProtectedProcess-GpMapping-End -->

10
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -1,7 +1,7 @@
---
title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP.
ms.date: 02/20/2024
ms.date: 09/11/2024
---
<!-- Auto-Generated CSP Document -->
@ -1406,7 +1406,9 @@ This policy setting controls if it's required that the Start icon to be looked a
<!-- SkipCalibrationDuringSetup-Description-Begin -->
<!-- Description-Source-DDF -->
This policy configures whether the device will take the user through the eye tracking calibration process during device setup and first time user setup. If this policy is enabled, the device won't show the eye tracking calibration process during device setup and first time user setup. Note that until the user goes through the calibration process, eye tracking won't work on the device. If an app requires eye tracking and the user hasn't gone through the calibration process, the user will be prompted to do so.
This policy configures whether the device will take the user through the eye tracking calibration process during device setup and first time user setup.
- If this policy is enabled, the device won't show the eye tracking calibration process during device setup and first time user setup. Note that until the user goes through the calibration process, eye tracking won't work on the device. If an app requires eye tracking and the user hasn't gone through the calibration process, the user will be prompted to do so.
<!-- SkipCalibrationDuringSetup-Description-End -->
<!-- SkipCalibrationDuringSetup-Editable-Begin -->
@ -1457,7 +1459,9 @@ This policy configures whether the device will take the user through the eye tra
<!-- SkipTrainingDuringSetup-Description-Begin -->
<!-- Description-Source-DDF -->
This policy configures whether the device will take the user through a training process during device setup and first time user setup. If this policy is enabled, the device won't show the training process during device setup and first time user setup. If the user wishes to go through that training process, the user can launch the Tips app.
This policy configures whether the device will take the user through a training process during device setup and first time user setup.
- If this policy is enabled, the device won't show the training process during device setup and first time user setup. If the user wishes to go through that training process, the user can launch the Tips app.
<!-- SkipTrainingDuringSetup-Description-End -->
<!-- SkipTrainingDuringSetup-Editable-Begin -->

6
windows/client-management/mdm/policy-csp-mssecurityguide.md
View File

@ -1,7 +1,7 @@
---
title: MSSecurityGuide Policy CSP
description: Learn more about the MSSecurityGuide Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 01/31/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- MSSecurityGuide-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MSSecurityGuide-Editable-End -->
@ -223,7 +221,7 @@ ms.date: 01/31/2024
<!-- NetBTNodeTypeConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- NetBTNodeTypeConfiguration-Applicability-End -->
<!-- NetBTNodeTypeConfiguration-OmaUri-Begin -->

16
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -1,7 +1,7 @@
---
title: NetworkListManager Policy CSP
description: Learn more about the NetworkListManager Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 08/06/2024
<!-- NetworkListManager-Begin -->
# Policy CSP - NetworkListManager
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- NetworkListManager-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NetworkListManager-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 08/06/2024
<!-- AllNetworks_NetworkIcon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllNetworks_NetworkIcon-Applicability-End -->
<!-- AllNetworks_NetworkIcon-OmaUri-Begin -->
@ -70,7 +68,7 @@ This policy setting allows you to specify whether users can change the network i
<!-- AllNetworks_NetworkLocation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllNetworks_NetworkLocation-Applicability-End -->
<!-- AllNetworks_NetworkLocation-OmaUri-Begin -->
@ -119,7 +117,7 @@ This policy setting allows you to specify whether users can change the network l
<!-- AllNetworks_NetworkName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllNetworks_NetworkName-Applicability-End -->
<!-- AllNetworks_NetworkName-OmaUri-Begin -->
@ -262,7 +260,7 @@ This policy setting provides the string that names a network. If this setting is
<!-- IdentifyingNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- IdentifyingNetworks_LocationType-Applicability-End -->
<!-- IdentifyingNetworks_LocationType-OmaUri-Begin -->
@ -311,7 +309,7 @@ This policy setting allows you to configure the Network Location for networks th
<!-- UnidentifiedNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- UnidentifiedNetworks_LocationType-Applicability-End -->
<!-- UnidentifiedNetworks_LocationType-OmaUri-Begin -->
@ -360,7 +358,7 @@ This policy setting allows you to configure the Network Location type for networ
<!-- UnidentifiedNetworks_UserPermissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- UnidentifiedNetworks_UserPermissions-Applicability-End -->
<!-- UnidentifiedNetworks_UserPermissions-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -1,7 +1,7 @@
---
title: Notifications Policy CSP
description: Learn more about the Notifications Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- Notifications-Begin -->
# Policy CSP - Notifications
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Notifications-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Notifications-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 01/18/2024
<!-- DisableAccountNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAccountNotifications-Applicability-End -->
<!-- DisableAccountNotifications-OmaUri-Begin -->

34
windows/client-management/mdm/policy-csp-printers.md
View File

@ -1,7 +1,7 @@
---
title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -369,7 +369,7 @@ Determines whether Redirection Guard is enabled for the print spooler.
You can enable this setting to configure the Redirection Guard policy being applied to spooler.
- If you disable or don't configure this policy setting, Redirection Guard will default to being 'enabled'.
- If you disable or don't configure this policy setting, Redirection Guard will default to being 'Enabled'.
- If you enable this setting you may select the following options:
@ -435,7 +435,12 @@ The following are the supported values:
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-OmaUri-End -->
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting controls whether packet level privacy is enabled for RPC for incoming connections.
By default packet level privacy is enabled for RPC for incoming connections.
If you enable or don't configure this policy setting, packet level privacy is enabled for RPC for incoming connections.
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-Description-End -->
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-Editable-Begin -->
@ -452,7 +457,6 @@ The following are the supported values:
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-DFProperties-End -->
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -460,6 +464,11 @@ The following are the supported values:
| Name | Value |
|:--|:--|
| Name | ConfigureRpcAuthnLevelPrivacyEnabled |
| Friendly Name | Configure RPC packet level privacy setting for incoming connections |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | System\CurrentControlSet\Control\Print |
| Registry Value Name | RpcAuthnLevelPrivacyEnabled |
| ADMX File Name | Printing.admx |
<!-- ConfigureRpcAuthnLevelPrivacyEnabled-AdmxBacked-End -->
@ -685,7 +694,16 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
<!-- ConfigureWindowsProtectedPrint-OmaUri-End -->
<!-- ConfigureWindowsProtectedPrint-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
Determines whether Windows protected print is enabled on this computer.
By default, Windows protected print isn't enabled and there aren't any restrictions on the print drivers that can be installed or print functionality.
- If you enable this setting, the computer will operate in Windows protected print mode which only allows printing to printers that support a subset of inbox Windows print drivers.
- If you disable this setting or don't configure it, there aren't any restrictions on the print drivers that can be installed or print functionality.
For more information, please see [insert link to web page with WPP info]
<!-- ConfigureWindowsProtectedPrint-Description-End -->
<!-- ConfigureWindowsProtectedPrint-Editable-Begin -->
@ -702,7 +720,6 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
<!-- ConfigureWindowsProtectedPrint-DFProperties-End -->
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -710,6 +727,11 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
| Name | Value |
|:--|:--|
| Name | ConfigureWindowsProtectedPrint |
| Friendly Name | Configure Windows protected print |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\WPP |
| Registry Value Name | WindowsProtectedPrintGroupPolicyState |
| ADMX File Name | Printing.admx |
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-End -->

211
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -1,7 +1,7 @@
---
title: Privacy Policy CSP
description: Learn more about the Privacy Area in Policy CSP.
ms.date: 06/28/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -155,9 +155,9 @@ Most restrictive value is `0` to not allow cross-device clipboard.
<!-- Description-Source-ADMX -->
This policy specifies whether users on the device have the option to enable online speech recognition services.
If this policy is enabled or not configured, control is deferred to users, and users may choose whether to enable speech services via settings.
- If this policy is enabled or not configured, control is deferred to users, and users may choose whether to enable speech services via settings.
If this policy is disabled, speech services will be disabled, and users can't enable speech services via settings.
- If this policy is disabled, speech services will be disabled, and users can't enable speech services via settings.
<!-- AllowInputPersonalization-Description-End -->
<!-- AllowInputPersonalization-Editable-Begin -->
@ -300,9 +300,9 @@ This policy setting turns off the advertising ID, preventing apps from using the
<!-- Description-Source-ADMX -->
When logging into a new user account for the first time or after an upgrade in some scenarios, that user may be presented with a screen or series of screens that prompts the user to choose privacy settings for their account. Enable this policy to prevent this experience from launching.
If this policy is enabled, the privacy experience won't launch for newly created user accounts or for accounts that would've been prompted to choose their privacy settings after an upgrade.
- If this policy is enabled, the privacy experience won't launch for newly created user accounts or for accounts that would've been prompted to choose their privacy settings after an upgrade.
If this policy is disabled or not configured, then the privacy experience may launch for newly created user accounts or for accounts that should be prompted to choose their privacy settings after an upgrade.
- If this policy is disabled or not configured, then the privacy experience may launch for newly created user accounts or for accounts that should be prompted to choose their privacy settings after an upgrade.
<!-- DisablePrivacyExperience-Description-End -->
<!-- DisablePrivacyExperience-Editable-Begin -->
@ -2398,207 +2398,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
<!-- LetAppsAccessGazeInput_UserInControlOfTheseApps-End -->
<!-- LetAppsAccessGenerativeAI-Begin -->
## LetAppsAccessGenerativeAI
<!-- LetAppsAccessGenerativeAI-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI-Applicability-End -->
<!-- LetAppsAccessGenerativeAI-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI
```
<!-- LetAppsAccessGenerativeAI-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting specifies whether Windows apps can use generative AI features of Windows.
<!-- LetAppsAccessGenerativeAI-Description-End -->
<!-- LetAppsAccessGenerativeAI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI-Editable-End -->
<!-- LetAppsAccessGenerativeAI-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-2]` |
| Default Value | 0 |
<!-- LetAppsAccessGenerativeAI-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_Enum |
<!-- LetAppsAccessGenerativeAI-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI-Examples-End -->
<!-- LetAppsAccessGenerativeAI-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Begin -->
## LetAppsAccessGenerativeAI_ForceAllowTheseApps
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Applicability-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceAllowTheseApps
```
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Description-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Editable-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_ForceAllowTheseApps_List |
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Examples-End -->
<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Begin -->
## LetAppsAccessGenerativeAI_ForceDenyTheseApps
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Applicability-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceDenyTheseApps
```
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Description-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Editable-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_ForceDenyTheseApps_List |
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Examples-End -->
<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Begin -->
## LetAppsAccessGenerativeAI_UserInControlOfTheseApps
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Applicability-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_UserInControlOfTheseApps
```
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-OmaUri-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Description-Begin -->
<!-- Description-Source-DDF -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the generative AI setting for the listed apps. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Description-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Editable-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-DFProperties-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LetAppsAccessGenerativeAI |
| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
| Element Name | LetAppsAccessGenerativeAI_UserInControlOfTheseApps_List |
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-GpMapping-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Examples-End -->
<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-End -->
<!-- LetAppsAccessGraphicsCaptureProgrammatic-Begin -->
## LetAppsAccessGraphicsCaptureProgrammatic

98
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -1,7 +1,7 @@
---
title: RemoteDesktopServices Policy CSP
description: Learn more about the RemoteDesktopServices Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -156,7 +156,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockLegacyAuthn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisconnectOnLockLegacyAuthn-Applicability-End -->
<!-- DisconnectOnLockLegacyAuthn-OmaUri-Begin -->
@ -166,7 +166,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockLegacyAuthn-OmaUri-End -->
<!-- DisconnectOnLockLegacyAuthn-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
This policy applies only when using legacy authentication to authenticate to the remote PC. Legacy authentication is limited to username and password, or certificates like smartcards. Legacy authentication doesn't leverage the Microsoft identity platform, such as Microsoft Entra ID. Legacy authentication includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
- If you enable this policy setting, Remote Desktop connections using legacy authentication will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and re-enter their credentials when prompted.
- If you disable or don't configure this policy setting, Remote Desktop connections using legacy authentication will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
<!-- DisconnectOnLockLegacyAuthn-Description-End -->
<!-- DisconnectOnLockLegacyAuthn-Editable-Begin -->
@ -183,7 +190,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockLegacyAuthn-DFProperties-End -->
<!-- DisconnectOnLockLegacyAuthn-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -191,7 +197,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_POLICY |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Disconnect remote session on lock for legacy authentication |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fDisconnectOnLockLegacy |
| ADMX File Name | TerminalServer.admx |
<!-- DisconnectOnLockLegacyAuthn-AdmxBacked-End -->
<!-- DisconnectOnLockLegacyAuthn-Examples-Begin -->
@ -206,7 +217,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-OmaUri-Begin -->
@ -216,7 +227,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockMicrosoftIdentityAuthn-OmaUri-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
This policy applies only when using an identity provider that uses the Microsoft identity platform, such as Microsoft Entra ID, to authenticate to the remote PC. This policy doesn't apply when using Legacy authentication which includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
- If you enable or don't configure this policy setting, Remote Desktop connections using the Microsoft identity platform will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and can use passwordless authentication if configured.
- If you disable this policy setting, Remote Desktop connections using the Microsoft identity platform will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Description-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Editable-Begin -->
@ -233,7 +251,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!-- DisconnectOnLockMicrosoftIdentityAuthn-DFProperties-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -241,7 +258,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_AAD_POLICY |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Disconnect remote session on lock for Microsoft identity platform authentication |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fDisconnectOnLockMicrosoftIdentity |
| ADMX File Name | TerminalServer.admx |
<!-- DisconnectOnLockMicrosoftIdentityAuthn-AdmxBacked-End -->
<!-- DisconnectOnLockMicrosoftIdentityAuthn-Examples-Begin -->
@ -439,7 +461,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitClientToServerClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LimitClientToServerClipboardRedirection-Applicability-End -->
<!-- LimitClientToServerClipboardRedirection-OmaUri-Begin -->
@ -453,7 +475,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitClientToServerClipboardRedirection-OmaUri-End -->
<!-- LimitClientToServerClipboardRedirection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to restrict clipboard data transfers from client to server.
- If you enable this policy setting, you must choose from the following behaviors:
- Disable clipboard transfers from client to server.
- Allow plain text copying from client to server.
- Allow plain text and images copying from client to server.
- Allow plain text, images and Rich Text Format copying from client to server.
- Allow plain text, images, Rich Text Format and HTML copying from client to server.
- If you disable or don't configure this policy setting, users can copy arbitrary contents from client to server if clipboard redirection is enabled.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
<!-- LimitClientToServerClipboardRedirection-Description-End -->
<!-- LimitClientToServerClipboardRedirection-Editable-Begin -->
@ -470,7 +510,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitClientToServerClipboardRedirection-DFProperties-End -->
<!-- LimitClientToServerClipboardRedirection-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -478,7 +517,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Restrict clipboard transfer from client to server |
| Location | Computer and User Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| ADMX File Name | TerminalServer.admx |
<!-- LimitClientToServerClipboardRedirection-AdmxBacked-End -->
<!-- LimitClientToServerClipboardRedirection-Examples-Begin -->
@ -493,7 +536,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitServerToClientClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LimitServerToClientClipboardRedirection-Applicability-End -->
<!-- LimitServerToClientClipboardRedirection-OmaUri-Begin -->
@ -507,7 +550,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitServerToClientClipboardRedirection-OmaUri-End -->
<!-- LimitServerToClientClipboardRedirection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting allows you to restrict clipboard data transfers from server to client.
- If you enable this policy setting, you must choose from the following behaviors:
- Disable clipboard transfers from server to client.
- Allow plain text copying from server to client.
- Allow plain text and images copying from server to client.
- Allow plain text, images and Rich Text Format copying from server to client.
- Allow plain text, images, Rich Text Format and HTML copying from server to client.
- If you disable or don't configure this policy setting, users can copy arbitrary contents from server to client if clipboard redirection is enabled.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
<!-- LimitServerToClientClipboardRedirection-Description-End -->
<!-- LimitServerToClientClipboardRedirection-Editable-Begin -->
@ -524,7 +585,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- LimitServerToClientClipboardRedirection-DFProperties-End -->
<!-- LimitServerToClientClipboardRedirection-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@ -532,7 +592,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
| ADMX File Name | terminalserver.admx |
| Friendly Name | Restrict clipboard transfer from server to client |
| Location | Computer and User Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| ADMX File Name | TerminalServer.admx |
<!-- LimitServerToClientClipboardRedirection-AdmxBacked-End -->
<!-- LimitServerToClientClipboardRedirection-Examples-Begin -->

14
windows/client-management/mdm/policy-csp-search.md
View File

@ -1,7 +1,7 @@
---
title: Search Policy CSP
description: Learn more about the Search Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 08/06/2024
<!-- Search-Begin -->
# Policy CSP - Search
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Search-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Search-Editable-End -->
@ -648,7 +646,7 @@ The most restrictive value is `0` to now allow automatic language detection.
<!-- ConfigureSearchOnTaskbarMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSearchOnTaskbarMode-Applicability-End -->
<!-- ConfigureSearchOnTaskbarMode-OmaUri-Begin -->
@ -930,13 +928,13 @@ This policy setting configures whether or not locations on removable drives can
<!-- DoNotUseWebResults-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home.
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search.
- If you enable this policy setting, queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home.
- If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search.
- If you disable this policy setting, queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home.
- If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.
- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search, and if search highlights are shown in the search box and in search home.
- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search.
<!-- DoNotUseWebResults-Description-End -->
<!-- DoNotUseWebResults-Editable-Begin -->

8
windows/client-management/mdm/policy-csp-settingssync.md
View File

@ -1,7 +1,7 @@
---
title: SettingsSync Policy CSP
description: Learn more about the SettingsSync Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- SettingsSync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SettingsSync-Editable-End -->
@ -23,7 +21,7 @@ ms.date: 01/18/2024
<!-- DisableAccessibilitySettingSync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAccessibilitySettingSync-Applicability-End -->
<!-- DisableAccessibilitySettingSync-OmaUri-Begin -->
@ -84,7 +82,7 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
<!-- DisableLanguageSettingSync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableLanguageSettingSync-Applicability-End -->
<!-- DisableLanguageSettingSync-OmaUri-Begin -->

57
windows/client-management/mdm/policy-csp-smartscreen.md
View File

@ -1,7 +1,7 @@
---
title: SmartScreen Policy CSP
description: Learn more about the SmartScreen Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -29,20 +29,11 @@ ms.date: 01/31/2024
<!-- EnableAppInstallControl-OmaUri-End -->
<!-- EnableAppInstallControl-Description-Begin -->
<!-- Description-Source-ADMX -->
App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.
<!-- Description-Source-DDF-Forced -->
Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
- If you enable this setting, you must choose from the following behaviors:
- Turn off app recommendations.
- Show me app recommendations.
- Warn me before installing apps from outside the Store.
- Allow apps from Store only.
- If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet.
> [!NOTE]
> This policy will block installation only while the device is online. To block offline installation too, SmartScreen/PreventOverrideForFilesInShell and SmartScreen/EnableSmartScreenInShell policies should also be enabled. This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
<!-- EnableAppInstallControl-Description-End -->
<!-- EnableAppInstallControl-Editable-Begin -->
@ -110,23 +101,8 @@ App Install Control is a feature of Windows Defender SmartScreen that helps prot
<!-- EnableSmartScreenInShell-OmaUri-End -->
<!-- EnableSmartScreenInShell-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
- Warn and prevent bypass
- Warn.
- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
<!-- Description-Source-DDF-Forced -->
Allows IT Admins to configure SmartScreen for Windows.
<!-- EnableSmartScreenInShell-Description-End -->
<!-- EnableSmartScreenInShell-Editable-Begin -->
@ -188,23 +164,8 @@ Some information is sent to Microsoft about files and programs run on PCs with t
<!-- PreventOverrideForFilesInShell-OmaUri-End -->
<!-- PreventOverrideForFilesInShell-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
- Warn and prevent bypass
- Warn.
- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
<!-- Description-Source-DDF-Forced -->
Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files.
<!-- PreventOverrideForFilesInShell-Description-End -->
<!-- PreventOverrideForFilesInShell-Editable-Begin -->

79
windows/client-management/mdm/policy-csp-speakforme.md Normal file
View File

@ -0,0 +1,79 @@
---
title: SpeakForMe Policy CSP
description: Learn more about the SpeakForMe Area in Policy CSP.
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
<!-- SpeakForMe-Begin -->
# Policy CSP - SpeakForMe
<!-- SpeakForMe-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SpeakForMe-Editable-End -->
<!-- EnableSpeakForMe-Begin -->
## EnableSpeakForMe
<!-- EnableSpeakForMe-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableSpeakForMe-Applicability-End -->
<!-- EnableSpeakForMe-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/SpeakForMe/EnableSpeakForMe
```
<!-- EnableSpeakForMe-OmaUri-End -->
<!-- EnableSpeakForMe-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls whether to allow the creation of personal voices with SpeakForMe Accessibility Windows Application.
- If you enable this policy setting, then user can create their personal voice models.
- If you disable this policy setting, then user can't create their personal voice models with SpeakForMe.
- If you don't configure this policy setting (default), then users can launch the training flow and create their personal voice model through SpeakForMe.
<!-- EnableSpeakForMe-Description-End -->
<!-- EnableSpeakForMe-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableSpeakForMe-Editable-End -->
<!-- EnableSpeakForMe-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableSpeakForMe-DFProperties-End -->
<!-- EnableSpeakForMe-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- EnableSpeakForMe-AllowedValues-End -->
<!-- EnableSpeakForMe-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableSpeakForMe-Examples-End -->
<!-- EnableSpeakForMe-End -->
<!-- SpeakForMe-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- SpeakForMe-CspMoreInfo-End -->
<!-- SpeakForMe-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

27
windows/client-management/mdm/policy-csp-sudo.md
View File

@ -1,7 +1,7 @@
---
title: Sudo Policy CSP
description: Learn more about the Sudo Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 04/10/2024
<!-- Sudo-Begin -->
# Policy CSP - Sudo
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Sudo-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Sudo-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 04/10/2024
<!-- EnableSudo-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableSudo-Applicability-End -->
<!-- EnableSudo-OmaUri-Begin -->
@ -31,7 +29,20 @@ ms.date: 04/10/2024
<!-- EnableSudo-OmaUri-End -->
<!-- EnableSudo-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Description-Source-ADMX -->
This policy setting controls use of the sudo.exe command line tool.
- If you enable this policy setting, then you may set a maximum allowed mode to run sudo in. This restricts the ways in which users may interact with command-line applications run with sudo. You may pick one of the following modes to allow sudo to run in:
"Disabled": sudo is entirely disabled on this machine. When the user tries to run sudo, sudo will print an error message and exit.
"Force new window": When sudo launches a command line application, it will launch that app in a new console window.
"Disable input": When sudo launches a command line application, it will launch the app in the current console window, but the user won't be able to type input to the command line app. The user may also choose to run sudo in "Force new window" mode.
"Normal": When sudo launches a command line application, it will launch the app in the current console window. The user may also choose to run sudo in "Force new window" or "Disable input" mode.
- If you disable this policy or don't configure it, the user will be able to run sudo.exe normally (after enabling the setting in the Settings app).
<!-- EnableSudo-Description-End -->
<!-- EnableSudo-Editable-Begin -->
@ -65,7 +76,11 @@ ms.date: 04/10/2024
| Name | Value |
|:--|:--|
| Name | EnableSudo |
| Path | Sudo > AT > System |
| Friendly Name | Configure the behavior of the sudo command |
| Location | Computer Configuration |
| Path | System |
| Registry Key Name | Software\Policies\Microsoft\Windows\Sudo |
| ADMX File Name | Sudo.admx |
<!-- EnableSudo-GpMapping-End -->
<!-- EnableSudo-Examples-Begin -->

8
windows/client-management/mdm/policy-csp-system.md
View File

@ -1,7 +1,7 @@
---
title: System Policy CSP
description: Learn more about the System Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,8 +11,6 @@ ms.date: 08/06/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- System-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- System-Editable-End -->
@ -1471,7 +1469,7 @@ This policy setting lets you prevent apps and features from working with files o
* Users can't access OneDrive from the OneDrive app and file picker.
* Windows Store apps can't access OneDrive using the WinRT API.
* Packaged Microsoft Store apps can't access OneDrive using the WinRT API.
* OneDrive doesn't appear in the navigation pane in File Explorer.
@ -1777,7 +1775,7 @@ Diagnostic files created when a feedback is filed in the Feedback Hub app will a
<!-- HideUnsupportedHardwareNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- HideUnsupportedHardwareNotifications-Applicability-End -->
<!-- HideUnsupportedHardwareNotifications-OmaUri-Begin -->

36
windows/client-management/mdm/policy-csp-systemservices.md
View File

@ -1,7 +1,7 @@
---
title: SystemServices Policy CSP
description: Learn more about the SystemServices Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 04/10/2024
<!-- SystemServices-Begin -->
# Policy CSP - SystemServices
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- SystemServices-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SystemServices-Editable-End -->
@ -21,7 +19,7 @@ ms.date: 04/10/2024
<!-- ConfigureComputerBrowserServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureComputerBrowserServiceStartupMode-Applicability-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-OmaUri-Begin -->
@ -171,7 +169,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureIISAdminServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureIISAdminServiceStartupMode-Applicability-End -->
<!-- ConfigureIISAdminServiceStartupMode-OmaUri-Begin -->
@ -221,7 +219,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-OmaUri-Begin -->
@ -271,7 +269,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-OmaUri-Begin -->
@ -321,7 +319,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureLxssManagerServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureLxssManagerServiceStartupMode-Applicability-End -->
<!-- ConfigureLxssManagerServiceStartupMode-OmaUri-Begin -->
@ -371,7 +369,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-OmaUri-Begin -->
@ -421,7 +419,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-OmaUri-Begin -->
@ -471,7 +469,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-OmaUri-Begin -->
@ -521,7 +519,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-OmaUri-Begin -->
@ -571,7 +569,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-OmaUri-Begin -->
@ -621,7 +619,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-OmaUri-Begin -->
@ -671,7 +669,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-OmaUri-Begin -->
@ -721,7 +719,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWebManagementServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWebManagementServiceStartupMode-Applicability-End -->
<!-- ConfigureWebManagementServiceStartupMode-OmaUri-Begin -->
@ -771,7 +769,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-OmaUri-Begin -->
@ -821,7 +819,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-OmaUri-Begin -->
@ -871,7 +869,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-taskscheduler.md
View File

@ -1,7 +1,7 @@
---
title: TaskScheduler Policy CSP
description: Learn more about the TaskScheduler Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/11/2024
---
<!-- Auto-Generated CSP Document -->
@ -30,7 +30,7 @@ ms.date: 01/18/2024
<!-- EnableXboxGameSaveTask-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
This setting determines whether the specific task is enabled (1) or disabled (0).
<!-- EnableXboxGameSaveTask-Description-End -->
<!-- EnableXboxGameSaveTask-Editable-Begin -->

6
windows/client-management/mdm/policy-csp-tenantrestrictions.md
View File

@ -1,7 +1,7 @@
---
title: TenantRestrictions Policy CSP
description: Learn more about the TenantRestrictions Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -41,9 +41,9 @@ When you enable this setting, compliant applications will be prevented from acce
<https://go.microsoft.com/fwlink/?linkid=2148762>
Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
Before enabling firewall protection, ensure that an App Control for Business policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding App Control for Business policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
For details about setting up WDAC with tenant restrictions, see <https://go.microsoft.com/fwlink/?linkid=2155230>
For details about setting up App Control with tenant restrictions, see <https://go.microsoft.com/fwlink/?linkid=2155230>
<!-- ConfigureTenantRestrictions-Description-End -->
<!-- ConfigureTenantRestrictions-Editable-Begin -->

415
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,18 +9,12 @@ ms.date: 08/06/2024
<!-- Update-Begin -->
# Policy CSP - Update
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Update-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Update-Editable-End -->
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
- [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
- [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate)
- [AllowOptionalContent](#allowoptionalcontent)
@ -61,7 +55,8 @@ Update CSP policies are listed below based on the group policy area:
- [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates)
- [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod)
- [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates)
- [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [ConfigureFeatureUpdateUninstallPeriod](#configurefeatureupdateuninstallperiod)
- [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours)
- [ScheduledInstallDay](#scheduledinstallday)
@ -76,6 +71,7 @@ Update CSP policies are listed below based on the group policy area:
- [SetEDURestart](#setedurestart)
- [UpdateNotificationLevel](#updatenotificationlevel)
- [Legacy Policies](#legacy-policies)
- [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
- [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays)
- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates)
- [AutoRestartNotificationSchedule](#autorestartnotificationschedule)
@ -99,188 +95,6 @@ Update CSP policies are listed below based on the group policy area:
- [ScheduleRestartWarning](#schedulerestartwarning)
- [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable)
## Windows Insider Preview
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Begin -->
### AlwaysAutoRebootAtScheduledTimeMinutes
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
```
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[15-180]` |
| Default Value | 15 |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AlwaysAutoRebootAtScheduledTime |
| Friendly Name | Always automatically restart at the scheduled time |
| Element Name | work (minutes) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
| ADMX File Name | WindowsUpdate.admx |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
```
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-Begin -->
<!-- Description-Source-DDF -->
When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured.
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForQualityUpdates
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
```
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-Begin -->
<!-- Description-Source-DDF -->
When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured.
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-End -->
## Manage updates offered from Windows Update
<!-- AllowNonMicrosoftSignedUpdate-Begin -->
@ -2518,8 +2332,8 @@ Number of days before feature updates are installed on devices automatically reg
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Name | ComplianceDeadlineForFU |
| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Deadline (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2578,7 +2392,7 @@ Number of days before quality updates are installed on devices automatically reg
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Deadline (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2633,7 +2447,7 @@ Minimum number of days from update installation until restarts occur automatical
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Grace period (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2687,8 +2501,8 @@ Minimum number of days from update installation until restarts occur automatical
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Name | ComplianceDeadlineForFU |
| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Grace Period (days) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
@ -2702,31 +2516,47 @@ Minimum number of days from update installation until restarts occur automatical
<!-- ConfigureDeadlineGracePeriodForFeatureUpdates-End -->
<!-- ConfigureDeadlineNoAutoReboot-Begin -->
### ConfigureDeadlineNoAutoReboot
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
<!-- ConfigureDeadlineNoAutoReboot-Applicability-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- ConfigureDeadlineNoAutoReboot-Applicability-End -->
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoReboot-OmaUri-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
```
<!-- ConfigureDeadlineNoAutoReboot-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoReboot-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured.
<!-- ConfigureDeadlineNoAutoReboot-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy lets you specify the number of days before feature updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
<!-- ConfigureDeadlineNoAutoReboot-Editable-Begin -->
Set deadlines for feature updates and quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
Set a grace period for feature updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
You can set the device to delay restarting until both the deadline and grace period have expired.
If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
This policy will override the following policies:
1. Specify deadline before auto restart for update installation
1. Specify Engaged restart transition and notification schedule for updates.
1. Always automatically restart at the scheduled time
1. Configure Automatic Updates.
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoReboot-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoReboot-DFProperties-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
@ -2734,36 +2564,115 @@ When enabled, devices won't automatically restart outside of active hours until
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoReboot-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoReboot-AllowedValues-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoReboot-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoReboot-GpMapping-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadlines for automatic updates and restarts |
| Name | ComplianceDeadlineForFU |
| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
| Element Name | Don't auto-restart until end of grace period. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| ADMX File Name | WindowsUpdate.admx |
<!-- ConfigureDeadlineNoAutoReboot-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoReboot-Examples-Begin -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoReboot-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoReboot-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForQualityUpdates
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
```
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy lets you specify the number of days before quality updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
Set deadlines for quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
Set a grace period for quality updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
You can set the device to delay restarting until both the deadline and grace period have expired.
If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
This policy will override the following policies:
1. Specify deadline before auto restart for update installation
1. Specify Engaged restart transition and notification schedule for updates.
1. Always automatically restart at the scheduled time
1. Configure Automatic Updates.
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ComplianceDeadline |
| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
| Element Name | Don't auto-restart until end of grace period. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| ADMX File Name | WindowsUpdate.admx |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-End -->
<!-- ConfigureFeatureUpdateUninstallPeriod-Begin -->
### ConfigureFeatureUpdateUninstallPeriod
@ -3647,6 +3556,68 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
## Legacy Policies
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Begin -->
### AlwaysAutoRebootAtScheduledTimeMinutes
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
```
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[15-180]` |
| Default Value | 15 |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AlwaysAutoRebootAtScheduledTime |
| Friendly Name | Always automatically restart at the scheduled time |
| Element Name | work (minutes) |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Legacy Policies |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
| ADMX File Name | WindowsUpdate.admx |
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-End -->
<!-- AlwaysAutoRebootAtScheduledTimeMinutes-End -->
<!-- AutoRestartDeadlinePeriodInDays-Begin -->
### AutoRestartDeadlinePeriodInDays
@ -4077,7 +4048,7 @@ Allows IT Admins to specify additional upgrade delays for up to 8 months. Suppor
<!-- Description-Source-ADMX -->
Enable this policy to not allow update deferral policies to cause scans against Windows Update.
If this policy is disabled or not configured, then the Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled.
- If this policy is disabled or not configured, then the Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled.
> [!NOTE]
> This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect.

28
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -1,7 +1,7 @@
---
title: UserRights Policy CSP
description: Learn more about the UserRights Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/18/2024
<!-- UserRights-Begin -->
# Policy CSP - UserRights
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- UserRights-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see [Well-known SID structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
@ -258,7 +256,7 @@ This user right allows a process to impersonate any user without authentication.
<!-- AdjustMemoryQuotasForProcess-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AdjustMemoryQuotasForProcess-Applicability-End -->
<!-- AdjustMemoryQuotasForProcess-OmaUri-Begin -->
@ -359,7 +357,7 @@ This user right determines which users can log on to the computer.
<!-- AllowLogOnThroughRemoteDesktop-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AllowLogOnThroughRemoteDesktop-Applicability-End -->
<!-- AllowLogOnThroughRemoteDesktop-OmaUri-Begin -->
@ -460,7 +458,7 @@ This user right determines which users can bypass file, directory, registry, and
<!-- BypassTraverseChecking-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- BypassTraverseChecking-Applicability-End -->
<!-- BypassTraverseChecking-OmaUri-Begin -->
@ -567,7 +565,7 @@ This user right determines which users and groups can change the time and date o
<!-- ChangeTimeZone-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ChangeTimeZone-Applicability-End -->
<!-- ChangeTimeZone-OmaUri-Begin -->
@ -1027,7 +1025,7 @@ This security setting determines which service accounts are prevented from regis
<!-- DenyLogOnAsBatchJob-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DenyLogOnAsBatchJob-Applicability-End -->
<!-- DenyLogOnAsBatchJob-OmaUri-Begin -->
@ -1076,7 +1074,7 @@ This security setting determines which accounts are prevented from being able to
<!-- DenyLogOnAsService-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DenyLogOnAsService-Applicability-End -->
<!-- DenyLogOnAsService-OmaUri-Begin -->
@ -1336,7 +1334,7 @@ Assigning this user right to a user allows programs running on behalf of that us
<!-- IncreaseProcessWorkingSet-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- IncreaseProcessWorkingSet-Applicability-End -->
<!-- IncreaseProcessWorkingSet-OmaUri-Begin -->
@ -1543,7 +1541,7 @@ This user right determines which accounts can use a process to keep data in phys
<!-- LogOnAsBatchJob-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LogOnAsBatchJob-Applicability-End -->
<!-- LogOnAsBatchJob-OmaUri-Begin -->
@ -1592,7 +1590,7 @@ This security setting allows a user to be logged-on by means of a batch-queue fa
<!-- LogOnAsService-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- LogOnAsService-Applicability-End -->
<!-- LogOnAsService-OmaUri-Begin -->
@ -1889,7 +1887,7 @@ This user right determines which users can use performance monitoring tools to m
<!-- ProfileSystemPerformance-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ProfileSystemPerformance-Applicability-End -->
<!-- ProfileSystemPerformance-OmaUri-Begin -->
@ -1987,7 +1985,7 @@ This user right determines which users are allowed to shut down a computer from
<!-- ReplaceProcessLevelToken-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ReplaceProcessLevelToken-Applicability-End -->
<!-- ReplaceProcessLevelToken-OmaUri-Begin -->
@ -2088,7 +2086,7 @@ This user right determines which users can bypass file, directory, registry, and
<!-- ShutDownTheSystem-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- ShutDownTheSystem-Applicability-End -->
<!-- ShutDownTheSystem-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -1,7 +1,7 @@
---
title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,8 +9,6 @@ ms.date: 01/31/2024
<!-- WebThreatDefense-Begin -->
# Policy CSP - WebThreatDefense
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WebThreatDefense-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
@ -23,7 +21,7 @@ ms.date: 01/31/2024
<!-- AutomaticDataCollection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- AutomaticDataCollection-Applicability-End -->
<!-- AutomaticDataCollection-OmaUri-Begin -->

83
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 08/07/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -21,7 +21,7 @@ ms.date: 08/07/2024
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
@ -31,8 +31,12 @@ ms.date: 08/07/2024
<!-- DisableAIDataAnalysis-OmaUri-End -->
<!-- DisableAIDataAnalysis-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to determine whether end users have the option to allow snapshots to be saved on their PCs. If disabled, end users will have a choice to save snapshots of their screen on their PC and then use Recall to find things they've seen. If the policy is enabled, end users won't be able to save snapshots on their PC. If the policy isn't configured, end users may or may not be able to save snapshots on their PC-depending on other policy configurations.
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
<!-- DisableAIDataAnalysis-Description-End -->
<!-- DisableAIDataAnalysis-Editable-Begin -->
@ -64,7 +68,12 @@ This policy setting allows you to determine whether end users have the option to
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
| Friendly Name | Turn off Saving Snapshots for Windows |
| Location | User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | DisableAIDataAnalysis |
| ADMX File Name | WindowsCopilot.admx |
<!-- DisableAIDataAnalysis-GpMapping-End -->
<!-- DisableAIDataAnalysis-Examples-Begin -->
@ -90,7 +99,11 @@ This policy setting allows you to determine whether end users have the option to
<!-- DisableCocreator-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to control whether Cocreator functionality is disabled in the Windows Paint app. If this policy is enabled, Cocreator functionality won't be accessible in the Paint app. If this policy is disabled or not configured, users will be able to access Cocreator functionality.
This policy setting allows you to control whether Cocreator functionality is disabled in the Windows Paint app.
- If this policy is enabled, Cocreator functionality won't be accessible in the Paint app.
- If this policy is disabled or not configured, users will be able to access Cocreator functionality.
<!-- DisableCocreator-Description-End -->
<!-- DisableCocreator-Editable-Begin -->
@ -148,7 +161,11 @@ This policy setting allows you to control whether Cocreator functionality is dis
<!-- DisableImageCreator-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to control whether Image Creator functionality is disabled in the Windows Paint app. If this policy is enabled, Image Creator functionality won't be accessible in the Paint app. If this policy is disabled or not configured, users will be able to access Image Creator functionality.
This policy setting allows you to control whether Image Creator functionality is disabled in the Windows Paint app.
- If this policy is enabled, Image Creator functionality won't be accessible in the Paint app.
- If this policy is disabled or not configured, users will be able to access Image Creator functionality.
<!-- DisableImageCreator-Description-End -->
<!-- DisableImageCreator-Editable-Begin -->
@ -189,6 +206,58 @@ This policy setting allows you to control whether Image Creator functionality is
<!-- DisableImageCreator-End -->
<!-- SetCopilotHardwareKey-Begin -->
## SetCopilotHardwareKey
<!-- SetCopilotHardwareKey-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetCopilotHardwareKey-Applicability-End -->
<!-- SetCopilotHardwareKey-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetCopilotHardwareKey
```
<!-- SetCopilotHardwareKey-OmaUri-End -->
<!-- SetCopilotHardwareKey-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
- If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
- If the policy isn't configured, Copilot will open if it's available in that country or region.
<!-- SetCopilotHardwareKey-Description-End -->
<!-- SetCopilotHardwareKey-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetCopilotHardwareKey-Editable-End -->
<!-- SetCopilotHardwareKey-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- SetCopilotHardwareKey-DFProperties-End -->
<!-- SetCopilotHardwareKey-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetCopilotHardwareKey |
| Path | WindowsCopilot > AT > WindowsComponents > WindowsCopilot |
<!-- SetCopilotHardwareKey-GpMapping-End -->
<!-- SetCopilotHardwareKey-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetCopilotHardwareKey-Examples-End -->
<!-- SetCopilotHardwareKey-End -->
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot

10
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -1,7 +1,7 @@
---
title: WindowsLogon Policy CSP
description: Learn more about the WindowsLogon Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 09/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -380,11 +380,11 @@ This policy setting allows you to control whether users see the first sign-in an
<!-- EnableMPRNotifications-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the configuration under which winlogon sends MPR notifications in the system.
This policy controls whether the user's password is included in the content of MPR notifications sent by winlogon in the system.
- If you enable this setting or don't configure it, winlogon sends MPR notifications if a credential manager is configured.
- If you disable this setting or don't configure it, winlogon sends MPR notifications with empty password fields of the user's authentication info.
- If you disable this setting, winlogon doesn't send MPR notifications.
- If you enable this setting, winlogon sends MPR notifications containing the user's password in the authentication info.
<!-- EnableMPRNotifications-Description-End -->
<!-- EnableMPRNotifications-Editable-Begin -->
@ -415,7 +415,7 @@ This policy controls the configuration under which winlogon sends MPR notificati
| Name | Value |
|:--|:--|
| Name | EnableMPRNotifications |
| Friendly Name | Enable MPR notifications for the system |
| Friendly Name | Configure the transmission of the user's password in the content of MPR notifications sent by winlogon. |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |

Some files were not shown because too many files have changed in this diff Show More